NEWS FROM THE LAB - March 2011


Thursday, March 31, 2011

Confirmed: Samsung is Not Shipping Keyloggers Posted by Mikko @ 12:25 GMT

We now have confirmation for what we wrote in our previous blog post: Samsung is not shipping keyloggers on their laptops.

The whole saga was caused by a false alarm of the VIPRE Antivirus product. Apparently VIPRE detects the StarLogger keylogger by searching for the existence of a directory called "SL" in the root of the Windows directory. This is a bad idea.

As an example, here's a screenshot showing VIPRE alerting on a completely clean Windows computer after an empty "SL" folder was created:


As some Samsung laptops do indeed have a folder called "C:\WINDOWS\SL" on them by default, VIPRE would alert on them with a similar warning.

Unfortunately Mohamed Hassan (CISSP) who did the original analysis did not double-check his findings and blamed Samsung instead. Apparently he did not look at the contents of the "SL" folder at all.

Samsung is innocent.

Many thanks to fellow Twitterers @the_pc_doc, @SecurityLabsGR and @paulmutton who helped with the investigation!

Updated to add: Alex Eckelberry has published a blog post explaining further why VIPRE had the false alarm.


No Keyloggers on Samsung Laptops as Far as We Know Posted by Mikko @ 10:45 GMT

Network World has published an article claiming that Samsung Electronics installs Windows keyloggers on their laptops by default. This caused an uproar, as even Samsung support appeared to confirm this, saying that the commercial StarLogger keylogger is installed by default to "monitor the performance of the machine and to find out how it is being used".

All this is a bit hard to believe. F-Secure Anti-Virus detects StarLogger (as "Trojan.Generic.5223315"). So do many other antivirus vendors. We have not seen any kind of peak of StarLogger reports.

There is a statement on denying these allegations. However, this site does not seem to be an official Samsung site.

So, what to do? Well, we went to a local IT store and checked some Samsung laptops ourselves.

Samsung Laptops

No, we did not find StarLogger, or any other keyloggers from the laptops we tested. These included Samsung models R540, RF710, QX310, SF510, X125, and NF310. They were all running different versions of Windows 7. Note that the list includes the Samsung R540, which was one of the laptop models mentioned in the original Network World report.

In summary, until proven otherwise, we don't believe Samsung has been installing keyloggers on their laptops by default.

We'd like to thank Eero Järvilehto at his for help.

P.S. Some people might find similarities between this case and the Sony Rootkit Saga. However, while Sony BMG was guilty, we're betting that Samsung is innocent.

Updated to add: Samsung is now confirmed to be innocent. See the details here.


Wednesday, March 30, 2011

Facebook HTTPS is a Bit More Done... Posted by Sean @ 13:37 GMT

Our February 23rd post noted that Facebook's SSL "Secure Browsing" preferences had some issues remaining persistent.

There's been some encouraging progress since then, and this is now what happens when a non-HTTPS application is accessed:

Facebook, Secure Browsing (HTTPS)

So at least the setting is persistent. Hopefully the feature will be more dynamic in the near future.

If you have a Facebook account, and want to update your settings for HTTPS, you'll find the option under Account Security.


Tuesday, March 29, 2011

Amazon's Password Policy Sucks Posted by Sean @ 19:10 GMT

Dear Jeff Bezos,

As a longtime Amazon customer, I just tried the new Amazon Cloud Player powered by Amazon Cloud Drive with great expectations.

And I have to say — pretty neat.

Amazon Cloud Drive

"All customers start with 5 GB of free Cloud Drive storage to get started. For a limited time, get a free upgrade to 20 GB of Cloud Drive storage with an MP3 album purchase."

Wow. 5 gigabytes with a free upgrade to 20 GB? That's awesome.

I only have one huge problem with it…

Amazon's password policy is seriously lacking.

This is the message generated when somebody attempts to set their password to "password" or "123456".

Amazon Password

Wait. What?!? Success… for password and 123456?

Well geez, at least Amazon's password policy doesn't accept "1234".

Amazon Problem

Look, Amazon has decent defenses in place to prevent somebody from hacking an account and then shipping products to a new address. For that, the attacker needs the entire credit card number and other details.

But now you've moved the product into the cloud! Shipping isn't required.

Gigabytes of online storage connected to a credit card will be a really tempting target for hackers. And because Amazon accounts are based on e-mail addresses… hackers won't even have to phish Amazon directly. They can just phish e-mail accounts and then try the same password at

— Another thing —

I just tried accessing my account using the wrong password more than ten times!

Just when do the brute force defenses kick-in?

I used the correct password on my 12th attempt (or so) and was then given direct access.

Listen, I really appreciate my new cloud drive.

I just don't think I'll be using it for much until you enact some better safeguards to protect it.

Sean Sullivan


Monday, March 28, 2011's Top Tweets Link to Adult Dating Spam? #NSFW Posted by Sean @ 15:29 GMT has a verified account called @TopTweets that:

"…algorithmically selects and retweets some of the most interesting tweets spreading across Twitter. Enjoy!"

Enjoy, eh?

Well, it looks as if an adult dating spammer is gaming the system (or else Twitter really needs to tweak its top tweets algorithm):

@TopTweets recently retweeted this tweet from @CamGirlTrenity:


But more surprisingly, @TopTweets also retweeted this tweet from @SkypeCamGirls already on Saturday:


Guess nobody reported the spam over the weekend.

Hopefully Twitter will look into this soon as @TopTweets has over one million followers and we seriously doubt that they want to be exposed to sites such as and

Fortunately however, the links are obviously "not safe for work" (#nsfw) and relatively few people have clicked them. So perhaps most folks have just a bit more common sense than many so-called experts give them credit for?

Updated to add: Nice! Twitter has suspended both @CamGirlTrenity and @SkypeCamGirls (among others…).

Today's tweet is no longer in the @TopTweets feed and we expect that Saturday's will soon be purged as well.



Wednesday, March 23, 2011

Rogue SSL Certificates ("Case Comodogate") Posted by Mikko @ 20:27 GMT

SSL certificates are used by websites to confirm their identity to end users.

ComodogateCertificate vendor Comodo has announced today that nine rogue certificates were issued through them. These certificates were issued for:

  • (Gmail)
  • (Hotmail et al.)
  • (three certificates)
  • (Firefox extensions)
  •  "Global Trustee"

According to Comodo, the registrations seemed to be coming from Tehran, Iran and they believe that because of the focus and speed of the attack, it was "state-driven".

What can you do with such a certificate?

Well, if you are a government and able to control Internet routing within your country, you can reroute all, say, Skype users to fake and collect their usernames and passwords, regardless of the SSL encryption seemingly in place. Or you can read their e-mail when they go to Yahoo, Gmail or Hotmail. Even most geeks wouldn't notice this was going on.

What about the rogue certificate for Initially I thought there would be no other reason than to use Firefox extensions as some sort of malware install vector. However, Eric Chien from Symantec came up with an interesting alternate theory: it could be used to block the installation of certain extensions that bypass censorship filters (thanks, Eric!) For examples of such extensions, see here and here.

As certificate revocation systems in place are far from fool proof, Microsoft has just announced that they will be shipping a Windows update that will force these rogue certificates to be moved to the local untrusted certificate store.

Updated to add: Comodo has now said the attacker gained entry to its system by obtaining the password and username of a European affiliate. Once inside, the attacker could have issued certificates to any site he wanted. Wall Street Journal has more on the breach.

Updated to add: What's the importance of a Certificate issued for "Global Trustee"? We don't know. This isn't a documented entity anywhere we could find. Our best guess at this point is that there is some hardware product from some large vendor with hardcoded support for a certificate for "Global Trustee"…

Updated to add: Iran does not have it's own CA. If they did, they wouldn't need to do any of this as they could just issue rogue certificates themselves. On Twitter, @xirfan commented on this, saying: "I work for a webhoster. Our Iranian & Syrian customers aren't allowed SSLs".

Here's a full list of root certificates stored in the Mozilla project Root CA store. It includes certificates issued by CAs in China, Israel, Bermuda, South Africa, Estonia, Romania, Slovakia, Spain, Norway, Colombia, France, Taiwan, UK, The Netherlands, Turkey, USA, Hong Kong, Japan, Hungary, Germany, and Switzerland.

Updated to add: A person or persons claiming to be "Comodo Hacker" has posted a public note on the incident. The person/people behind the post do seem to have had access to Comodo's or's internal systems. Whether the rest of their story is true or not, we don't know.


Attack Using CVE-2011-0609 Posted by Response @ 02:55 GMT

Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits.

Here's a screenshot of one such e-mail, provided by Contagio:


The related XLS samples have these hashes:

  •  4bb64c1da2f73da11f331a96d55d63e2
  •  4031049fe402e8ba587583c08a25221a
  •  d8aefd8e3c96a56123cd5f07192b7369
  •  7ca4ab177f480503653702b33366111f

We detect them as Exploit.CVE-2011-0609.A and Exploit:W32/XcelDrop.F.

Another sample we've seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object.

The Flash object starts by doing a heap-spray containing the following shellcode:


This first shellcode only loads and passes execution to a second shellcode embedded in the Excel file:


The second shellcode is responsible for decrypting and executing an EXE file (also embedded in the Excel file):

second shellcode


In the meantime, the Flash object constructs and loads a second Flash object in runtime:


This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap. We generically detect the Flash object as Exploit.CVE-2011-0609.A.

As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack.

Fortunately, the malicious Excel file and its embedded EXE file are detected as Exploit.D-Encrypted.Gen and Trojan.Agent.ARKJ, respectively.

Still, users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory for CVE-2011-0609.

Threat Solutions post by — Broderick


Monday, March 21, 2011

Roundhouse Kick Time Posted by Mikko @ 14:40 GMT

Chuck Norris kicks ass. We all know that. Malware authors know this too.
roundhouse kick!
In fact, we've seen multiple worms and trojans over the years that make references to Chuck Norris. Probably the best example is the Chuck Norris Router Worm from last year.

While browsing through incoming malware, we noticed this little fellow
(md5 66b06adc178d17a7b42301e845eed84d). A botnet client, capable of taking over the computer and allowing full remote access to the infected system.

As usual, it requires a server to connect to. Name of the server? The bot also registers itself in registry under hkcu\software\chuck norris. We detect it as Backdoor:W32/Spyrat.D. Here's a description.

We looked this a bit deeper and it turns out to be generated with a tool called "CyberGate". Here's what the CyberGate control panel looks like.


European Climate Registry Not Linked to CO2 Phishing Posted by Mikko @ 14:37 GMT

We want to issue a correction to a blog post we did in January.

While blogging about phishing attacks against EU CO2 Emission Trading Systems, we provided several examples of real phishing e-mails and phishing sites. However, we also mentioned a company called European Climate Registry (

There were two reasons why we singled this company out. First, the EU had warned about European Climate Registry publicly as it is "not connected to European Commission". However, a company does not need to be connected to the EC if it wants to offer an alternative trading platform for trading carbon-related products.

Second, moreover, the domain looked suspicious to us, as standard WHOIS services listed the registrant information as "NOT DISCLOSED!". We later realized that EURid lists all .EU domain registrants as "NOT DISCLOSED!". You can only query the registrant information via EURids own web form. Thus, our information that the domain was registered with a domain privacy system was incorrect. We have no reason to conclude that European Climate Registry is involved in any wrongdoing.


Friday, March 18, 2011

Infographic - COMPUTER INVADERS Posted by Mikko @ 12:41 GMT

25 infamous viruses over the last 25 years

You can download a full-resolution version of the infographic here.

This Infographic was first featured on on 16th of March, 2011.


Thursday, March 17, 2011

New Mitmo: SpyEye Edition Posted by Sean @ 19:12 GMT

Our Threat Research team just completed some interesting analysis of a new Man-in-the-mobile (Mitmo) Symbian trojan (designed to steal mTANs), and what's particularly interesting about this variant is that it appears to be a component of SpyEye.

Previous versions of Mitmo were coupled with the ZeuS trojan. There were publicly disclosed cases of ZeuS Mitmo in September, 2010 (Spain) and February of this year (Poland).

ZeuS and SpyEye recently merged — Krebs on Security has details.

This new version of Mitmo was discovered by a partner a couple of weeks ago (somewhere in Europe…).

The technique used by SpyEye Mitmo to circumvent Symbian's signing requirement — was to use a developer certificate issued by OPDA in China.

The fields injected into a SpyEye Mitmo compromised online banking session include a request for the user's phone IMEI. Once SpyEye had the IMEI, it was added to the list embedded within its certificate, and so, the phone's user installed "self-signed" software and bypassed security prompts. Nokia has taken probationary actions against OPDA to prevent further abuse of their services.

We'll have further analysis available tomorrow.

Researchers can contact us over the usual channels to obtain the sample.


Wednesday, March 16, 2011

Are Facebook Comments the Death of Anonymity? Posted by Sean @ 18:38 GMT

Facebook recently announced a major overall of their comments system. The new changes will allow Facebook users to comment on third-party websites using their profiles. Supporters of the new system hope that it will help in combating Internet trolls and comment spam because Facebook accounts typically use real names. Critics of the system argue that it's a threat to free speech.

A number of critics have cited this quote by Mark Zuckerberg, from The Facebook Effect: "You have one identity. The days of you having a different image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly … Having two identities for yourself is an example of a lack of integrity."

Reactions among social activists have not been positive. But really, why? Is having only one identity really such a strange concept?

Other than The Batman, who really needs more than one identity?

I only have one identity. I also have an alias on Twitter, @FSLabsAdvisor, and you can probably tell based on its name, it's a work related account and primarily reflects my work persona as a public spokesperson of F-Secure. It's directly connected to my identity, but only represents a particular side of my personality.

I have multiple aliases on the Internet, a couple of them are anonymous, but I only need one identity.

Maintaining identity, privacy and integrity on the Internet can be a tricky thing — take Sarah Palin for example. About three weeks ago, Jack Stuef at Wonkette wrote that Palin maintained a personal Facebook account using the name "Lou Sarah". (Palin's middle name is Louise.) Stuef's take on the story was that Palin had a "secret" account to praise her "Sarah Palin" account. And he doesn't seem to take her Lou Sarah account as a sign of great integrity.

It was quite a good catch, but Stuef didn't get it entirely right. The Sarah Palin account is not a "profile". It is a special type of hybrid "page" for celebrities that behaves as a profile. But it's really just a page and part of Sarah Palin's personal brand. It's very likely that the page is entirely administered by her public relations team.

A lot of people wanting to manage their privacy create anonymous Facebook accounts. Many people clearly want aliases. I suspect that a great deal of the backlash directed at Zuckerberg is due to the fact that having multiple accounts per individual is a violation of Facebook's Terms of Service, and Zuck says stuff that makes them sound like criminals.

I think some of the backlash is deserved.

Facebook's corporate line is that you should only friend people that you actually know. But Facebook makes a lot of money from partnerships with social game companies such as Zynga. Social gaming is a form of casual gaming, and casual gaming encourages the formation of casual friendships. Facebook profits are in part driven by the formation of casual friendships.

You can't have your cake and eat it too.

I've seen lots of examples where people have created secondary accounts to play Facebook games with "virtual" friends. As long as Facebook profits from casual friendships, they need to find a way to better protect their users' privacy. Facebook needs to step up and offer users some sort of aliases, or else they need adjust their TOS.

I'm not holding my breath.

But how about Facebook's new commenting system?

Is it the death of anonymity and free speech?

Probably not. There's a "backdoor" method which is already being used to comment anonymously.


TechCrunch buried this lead in their initial story: "Incidentally, it's also now possible to leave a comment on an external site as a Facebook Page, which means we could see brands use Facebook to leave 'official' comments on blog posts."

So here's an example of what you can do — create a fictional character.

My character is named "Jaajo Jantteri". And I hold the copyright so I'm in full compliance with Facebook's Page Terms.

Jaajo Jantteri

Next, visit a site testing the new comments, such as TechCrunch. Select the alias of your choice.

Leave Comments

And comment.

Hello world

Now we just need to hope that trolls and spammers won't want to do the same.

But hey, if Facebook wants to move the battleground within their walled garden, I say, let them.



Tuesday, March 15, 2011

F-Secure Mac Protection Beta Problems Posted by Mikko @ 07:33 GMT

Mac beta

The beta version of our Mac OSX software, F-Secure Mac Protection, had a serious false alarm last night.

Database update 2011-03-14_03 caused several false alarms in clean files with detection names such as
Exploit:W32/NeosploitPDF.gen!A and Exploit:JS/Brooks.gen!A. The problematic update was removed after two hours. Beta users who received the update have seen some of their clean files moved to Trash.

This problem only affected users of our Mac OSX beta version (Technology Preview). Our Windows and Linux products were not affected in any way.

We're soon going to release a script that will restore the files from Trash back to their original locations. If you were affected by this issue, please do not empty your Trash in the meantime. See our forum for discussion.

Obviously this is not nice. We'd like to apologize to anyone affected by this error of ours.

Updated to add: We have now released a tool that will restore the files back to their original locations. You can download the tool from here.


Monday, March 14, 2011

Thanks For Help with the Brain Video Posted by Mikko @ 13:16 GMT

So, I went to Pakistan, traveled to Lahore, and took a taxi to the address found 25 years ago in the boot sector of the first PC virus. I found the address and knocked on the door. The creators of the first PC virus opened it.

The final result of this trip is now viewable as a 10 minute short film. You can see the film on our Brain mini-site, which also has lots of "behind-the-scenes" material about the trip.


The video is also available in 720p HD quality on YouTube.

Before I left for Lahore, I asked here on our blog for suggestions on what to ask them and got lots of ideas.

I'd like to thank the following blog readers for suggestions:

  •  Victor
  •  Marko
  •  Vess
  •  Rob Rosenberger
  •  Bart P
  •  George Janiashvili
  •  snuggl
  •  Nicholas Morris
  •  v2y
  •  Richard Lane
  •  June Westwood
  •  toknix
  •  John Moate
  •  tkrokli
  •  Fandi Gunawan
  •  RobertB
  •  Ad
  •  alvarezp
  •  ijaz
  •  Gerado Fonseca
  •  Francis Dhumes
  •  zeroXten
  •  JJ697
  •  Yogi
  •  Zer01
  •  palaniyappan
  •  Brad
  •  safeguy
  •  Efren Acosta
  •  Reza

Not everybody's question made it to the final film, but there are still a bunch of you mentioned in the end credits.

Thanks again!


Friday, March 11, 2011

Searching for Tsunami Results Posted by Sean @ 10:36 GMT

An 8.9-magnitude earthquake has occurred off the north-eastern coast of Japan and a tsunami causing major damage has followed. Naturally, people want to know more, and so they turn to the Web and search for news. And the first place many turn is Google.

As a result, several of Google's home pages now include the following alert: Tsunami Alert

Now, we haven't written about Search Engine Optimization (SEO) attacks lately, in part because Google is doing a pretty good job keeping them at bay and out of their search results.

But still, here's a best practice we'd like to advise: use the "news" filter if it's included in your language localization of Google:

Google News Tsunami Alert

SEO attacks generally masquerade as news sites, whereas results from are vetted from legitimate sources.

Our thoughts are with the victims of this event. We've been asked about our Japanese colleagues, according to reports, they are well.


Thursday, March 10, 2011

Plenty of Phish in the Cloud Posted by Response @ 08:41 GMT

We've stumbled upon another phishing attempt. This time it was targeted towards Maybank's (one of the main banks in Malaysia) "lucky" customers. The typical method is implemented, i.e., pretending to be someone of authority and then requesting the customers to verify their account, and even reminding them to include the Transaction Authorization Code as well.

Maybank phishing

Further investigation revealed that this e-mail is originated from a spam server, and that's all we could find. Every other track has been carefully hidden.

While phishing attempts are not something new, phishing activities around developing countries seem to be on the rise recently. Have the groups responsible for the earlier activities shifted their focus to a new market? Perhaps they realized that phishy links have better chance to slip through and escape from being detected if they are localized. Add that with the fact that customers in the area are probably only recently acquainted with online banking, thus, could easily fall prey to sophisticated social engineering method.

Whatever the reason is, those scammers only have one intention — to get hold of valuable information that translates to financial gain. Tools such as our free Browsing Protection portal can help to protect users from going to dangerous sites, but the best practice is to take charge of one's own safety. Users need to be aware of the tricks usually implemented by those with ill intention to avoid falling into the trap.


Trojan:Android/BgServ.A Posted by Response @ 08:26 GMT

So Google released a security solution to deal with the mess that Trojan:Android/DroidDream.A has created in the last few days.

A trojanized version of the tool has also emerged (we detect it as Trojan:Android/Bgserv.A). Interesting preliminary analysis of the trojan is available in Symantec's blog.

You can see the difference by checking the application info of the authentic versus trojanized versions:

Android Market Security Tool:

Android Market Security Tool installation


Trojan:Android/Bgserv.A installation

Here's a screenshot of the content/package itself:

Trojan:Android/Bgserv.A comparison

Once installed, Trojan:Android/Bgserv.A obtains the user's phone information such as IMEI and the phone number. The information is uploaded to

Again, this malware appears to be specific to a mainland Chinese network, as it contacts the number 10086 (related to China Mobile Net) and uses the new APN with the name "cmnet" inserted in the APN list.

This malware may lead to high data usage on the infected device, leaving the user with a high phone bill.

Interesting note: the malicious code doesn't seem to be restricted only to the Android Market Security Tool; the same behavior also appears in other Android applications, according to AegisLab's blog.

Response Post by — Zimry


Wednesday, March 9, 2011

Brain: Searching for the First PC Virus Posted by Sean @ 16:41 GMT

USA Today has an exclusive look at our Brain documentary staring Mikko Hyppönen in a story written by Byron Acohido.

Brain: Searching for the First PC Virus


Tuesday, March 8, 2011

Egypt, FinFisher Intrusion Tools and Ethics Posted by Mikko @ 09:17 GMT

There's unrest in Egypt, Tunisia, Libya, Bahrain and elsewhere in the Arab world.

Two days ago, protesters in Nasr, Egypt took over the Headquarters of the Egyptian State Security.

Inside the HQ, the protesters gained access to loads of confidential state documents.


Among them was a document that is highly relevant to computer security: an offer for a product called FinFisher sent to the Egypt State Security Investigation Department.





Note: we can't confirm the origin of this document. We got it from Mostafa Hussein. You can download the full document from here. [PDF, 1.3MB]

FinFisher seems to be an Intrusion and Spying software framework, developed and sold by a German company. It seems to include multiple components, including an "infection proxy" and various intrusion tools.

We don't know if Egypt State Security purchased the tool or not. We don't know if they were using it to spy on their own citizens. We don't know who else could be using it.

The obvious question here is: do we detect FinFisher? And the answer is: we don't know, as we don't have a sample at hand we could use to confirm this.

The obvious follow-up question is: if somebody gets us a known copy of FinFisher, would we knowingly add detection for it? And the answer is: yes we would.

We are in the business of selling protection. We're selling products to protect our customers from attack programs — regardless of the source of such programs.

It's easy to imagine a case where our customer would be innocent of any wrongdoing, but would be suspected for a crime he didn't commit. In such a situation he would have full expectation of his antivirus protecting him against trojans, even if those trojans would be coming from the government. This would be even more relevant if the customer lives in a totalitarian state. Like some of our customers do.

It's perfectly possible that we have already received a sample of FinFisher or some similar tools from our customers. However, if that has happened we have been unable to distinguish them from "normal" criminal trojans. We don't have any known government intrusion tools in our possession.

We've never received a request from any police force or intelligence organization anywhere in the world, asking not to detect their trojans. If they use trojans, they do not submit them to us.

And even if an official would contact us, asking not to detect their trojan, we would follow our guideline on this, published years ago in 2001. Please see our public statement on this very topic.

It would be a slippery slope to stop detecting government trojans. If the USA's government would ask us not to detect something and we would do it, then what? Should we avoid detecting hacking software used by governments… of which country? Germany? UK? Israel? Egypt? Iran?


Monday, March 7, 2011

Android and Kill Switches Posted by Mikko @ 15:32 GMT

Jon Last week, a number of maliciously modified applications were published to Android Market.

Over the weekend, Google announced that they will use their "Kill Switch" to remove these trojans from Android handsets.

Google will also force an install of a program called Android Market Security Tool to affected phones.

This is only the second time Google has used their Kill Switch. The only known case before this was Jon Oberheide's Twilight Eclipse proof-of-concept malware.

F-Secure Mobile Security blocks these trojans as variants of Trojan:Android/Adrd, PjApps or DroidDream.


Friday, March 4, 2011

ChronoPay and the ICPP scam Posted by Mikko @ 12:26 GMT

Once again, Brian Krebs sets the bar for data security bloggers. In his latest blog posts he details how Russian online payment processor ChronoPay is linked to various types of online crime.

Especially interesting is their link to the ICPP Copyright Foundation extortion case.

ICPP online fraud

We blogged about this case in April 2010, when this trojan was being widely distributed. It would lock infected computers, showing a list of copyright infringements found from the system. It would not unlock the system unless you used your credit card to pay "fines".

E-mails leaked to Krebs show that ChronoPay was directly involved with the scam. Even the topic of the e-mail shown below is titled " Fraud Rate".


Read the full story from Krebs On Security.


Thursday, March 3, 2011

Five Online Criminals Sentenced in UK Posted by Mikko @ 15:23 GMT

You might remember our blog post from last August, discussing an online criminal who posted his bail sheet to an online forum.

He has been convicted today in London and received four years in prison. In the same sentencing, two other males and two females were convicted to jail sentences ranging from 18 months to four years and to community service.

Scotland Yard's release follows:

A group of young internet fraudsters who set up an online 'criminal
forum' which traded unlawfully obtained credit card details and tools
to commit computer offences have today been jailed for a
total of 15.5 years.

[A] Gary Paul Kelly (14.04.89 - 21 yrs) unemployed of Clively Avenue,
Clifton, Swinton, Manchester;

[B] Nicholas Webber (10.10.91 - 19 yrs) a student of Cavendish Road,

[C] Ryan Thomas (8.7.92 - 18 yrs) a web designer of Howard Road, Seer
Green, Beaconsfield, Herts;

[D] Shakira Ricardo (14.11.89 - 21 yrs) unemployed of Flat 13, J Shed,
Kings Road, Swansea SA1;

were sentenced today (Wednesday 2 March) for computer misuse and fraud
offences following a two-day Newton Hearing at Southwark Crown Court.
All pleaded guilty at earlier hearings.

+ [E] Samantha Worley (30.09.88 - 22 yrs) unemployed of Flat 13, J
Shed, Kings Road, Swansea SA1 was sentenced on 14 December 2010 to 200
community service for acquiring criminal property.

The gang are believed to have been responsible for the largest
English-language online cyber crime forum and were all arrested on
various dates in 2009 and 2010, following a complex investigation by
officers the Metropolitan Police Service’s Police Central e-Crime Unit

During an eleven month investigation detectives uncovered evidence that
the defendants were directly involved in the global forum (used by over
8,000 members) which promoted and facilitated the electronic theft of
personal information; credit and debit card fraud; buying and selling
of personal information (including passwords and PIN numbers); the
creation and exchange of malicious computer programs (malware); the
establishment and maintenance of networks of infected personal
computers (BotNets);and tutorials offering advice on how to commit such
offences, including how to evade and frustrate law enforcement activity
and the exchange of details of vulnerable commercial sites and servers.

Founder of the forum was Webber. Having established a web site named
'', he acted as "administrator" and had overall
control of the site (meaning he was able to allow/ban members, remove
or edit their posts, and alter their status on the forum.)

An examination of the rebuilt forum and its database revealed many
thousands of data entries relating to individuals' personal details
including names, dates of birth, bank details, passwords, paypal
accounts and social security numbers. Site members are believed to have
traded in compromised databases containing thousands of personal
details including bank account numbers, PIN numbers, passwords and
malware including the Zeus Trojan and other types of criminal software,
including credit card verification programs.

The forum included such topics as: 'Phishing kits (post free phishing
kits and sell them)'; 'Show off (show us your skills here)'; 'Tutorials
(post some useful info here)'; and 'Cardable (post sites you've carded
here)'. There was also advice and tutorials on various methods of
evading law enforcement, how to encode blank plastic with credit card
data, and how to hack into sites, and even recipes for controlled drugs
(crystal meth) and a tutorial on bomb making.

Members of the site communicated anonymously by the use of screen
nicknames. They were able to post messages in various forum topics on
the website and send/receive private secure messages to/from other site

During the investigation detectives recovered from the defendants’
computers more than 130,000 compromised credit card numbers, which at
an estimated industry loss of £120 per card, is a potential £15.8
million financial loss in relation to card numbers alone.

On 3 November 2009 detectives arrested Kelly after executing a search
warrant at his home address. A full search of the property was
conducted, with a number of computers and mobile phones removed from
the address for examination.

It was established that Kelly had independently constructed and
distributed across the web a sophisticated Zeus malicious computer
programme which enabled him to infect and compromise over 15,000
computers in over 150 countries, harvesting from them over 4 million
lines of data ­ including huge quantities of credit card numbers and
other confidential, personal information.

Having been provided with relevant passwords by Kelly, detectives were
able to rebuild the GhostMarket forum and its database using files from
his PC.

Prior to this, on 12 October Webber and Thomas were arrested at a five
star central London hotel for using stolen credit card details to pay
for accommodation in the penthouse suite. They claimed to have
responded to an online advert, saying they had paid money to an
anonymous individual.

Bailed to return whilst officers conducted further inquiries, items
including their laptops were seized. In addition they were found to be
in possession of business cards brandishing the 'GhostMarket' logo,
advertising it as "A new era in virtual marketing" with the byline
"I'm a carder, ask about me..."

The duo's involvement in the 'GhostMarket' criminal forum was soon
established and inquiries were made to trace them after they fail to
return on bail in relation to the stolen credit card offence.

It was later discovered that on 31 October the pair had flown out to
Palma, Majorca, where they had been living in a rented flat in Port

On 29 January 2010 they were arrested at Gatwick Airport as they flew
in from Palma.

The following day a search of Webber's home address revealed a computer
containing a series of files outlining a step-by-step guide to
committing various criminal offences.

Owing to the volume of evidence to be examined and the complexities of
the case, the pair were released on police bail to return at a later

Officers subsequently travelled to Spain and, accompanied by Spanish
Police, attended the flat Thomas and Webber had rented out. The
property was empty, but local enquiries established that the contents
had been posted back to their UK addresses.

Those items, as well as additional computer equipment, were
subsequently recovered.

Through the forensic examination of seized computers and other digital
storage devices, as well as evidence secured through the rebuilt
Ghostmarket site, officers identified Ricardo, a trusted member of the
forum, and she was traced to Swansea, South Wales. Initially joining
the site as a complete novice, over time Ricardo had progressed to
become directly engaged in card fraud and computer malware activity.

Financial enquiries identified a payment made from Ricardo into her
partner Worley's bank account, incriminating her in the fraud.

Detective Inspector Colin Wetherill, Police Central eCrime Unit said:
"These defendants were accomplished cyber criminals, engaged in the
systematic mass infection of computers in homes and businesses in the
UK and overseas.

"They unlawfully harvested personal and financial information from
their victims to be exploited for financial gain.

"The GhostMarket crime forum was used by thousands of computer
criminals and fraudsters operating worldwide.

"Through it the defendants built an extensive criminal network to
facilitate the wholesale trade of compromised credit card details,
confidential financial and personal information, malicious computer
programmes, and other sophisticated tools and criminal services.

"The arrest, prosecution and conviction of these individuals represents
a significant step forward in our efforts to tackle cyber crime and
reduce the harm it causes."

+ A full financial investigation into all four defendants is underway.


Coming Soon... Posted by Mikko @ 13:44 GMT

Watch on YouTube.


Wednesday, March 2, 2011

Android Trojan Alert Posted by Response @ 09:33 GMT

Recent reports on trojanized applications being found on the official Android Market just came to our attention (via and Reddit).

The malicious applications were uploaded using various developer names. A full listing of the applications involved appear here:

According to the report, on checking out one of the malicious applications, it contains a known exploit "rageagainstthecage" for gaining root access. This exploit is known to work on Android 2.2 and below.

The original report indicated the malicious applications have already been pulled from Android Market — which is great news for users who haven't yet unwittingly downloaded the malware.

Users who have already done so may still need to wait for Google to remotely remove these apps — or remove them manually.

We'll continue to monitor the situation. We're also looking for samples of these trojanized applications for further analysis. If you have one of the malicious samples, you might consider sending it to our Sample Analysis System.


Edited to add: The pastebin link is no longer valid. Mashable and other news outlets are publishing the list.


New Pjapps Variant Posted by Response @ 01:38 GMT

A Chinese version of the "Steamy Window" application for Android was recently found repackaged with a malicious routine (Symantec has a good post on it). It appears the malware creator(s) favor this application, as they have already come out with a new variant, which is detected as Trojan:Android/Pjapps.B.

A quick look at this variant shows that the malicious functionalities remain mostly the same, including sending SMS, installing an application, adding bookmarks, and receiving commands from a C&C server.

Here are some screenshots comparing Trojan:Android/Pjapps.A and Trojan:Android/Pjapps.B:

Pjapps.A installation

Pjapps.B installation

And here's a quick view of the code for both variants, showing clearly enough that Pjapps.A (left) is the original version, with Pjapps.B (right) being "version 2":

Pjapps info

Perhaps the most visible change seen is that the new version "automatically starts at boot".

This is hardly the first trojanized Android app we've seen (Trojan:Android/Adrd.A). Still, it's one more sign that Android malware is on the rise and maybe not too surprisingly, the focal point for it seems to be China.

Our Android product detects these two variants with the latest database update.

Response Post by — Zimry