NEWS FROM THE LAB - March 2013


Tuesday, March 26, 2013

Whois behind South Korean wiper attacks? Posted by Brod @ 15:19 GMT

Last week, when "wiper" malware hit South Korean companies, the website of LG Uplus was reportedly defaced as well.

From The Register:

The Register Report

Due to the proximity of the incidents, the "Whois Team" is being suspected as the perpetrators of the wiper attacks. However this is still being debated.

From Ars Technica:

Ars Technica Report

We browsed through wiper samples yesterday, and discovered a variant that contains a routine that searches for web documents (e.g. ".html", ".aspx", ".php", etc.) in an infected system. The malware overwrites these documents with a content that looks exactly like that seen in the video below:

We believe this sample is clearly related to the one used in the defacement of the LG Uplus website.

The sample has a timestamp that is similar to the other wiper samples.

The timestamp of the DLL-wiper sample from yesterday's post:

DLL Wiper Timestamp

Timestamp of the defacer-wiper sample:

Defacer-wiper Timestamp

However, this variant used a completely different approach to wipe the drives. It infected the MBR with the following code to wipe the disk during the next boot-up:

Bootstrap Wiper

Also, unlike the other variants, this sample does not use the strings "HASTATI", "PRINCIPES", etc. when wiping the file system. This time it overwrites the files with zero's, rename them to a random filename before finally deleting them. It also avoids files found in Windows and Program Files directory. All this make sense because the attacker needed the infected webserver to continue hosting the defaced pages.

So do we think the attacks are related? Most probably they are. Only that this one was carried out by a different member.


Monday, March 25, 2013

How much difference can an ISP make over an outbreak? Posted by Mikko @ 15:10 GMT

F-Secure works extensively with ISPs and operators. We were assisting several large operators last year during the remediation of the DNSChanger malware.

There was an interesting study recently done by researchers at Georgia Tech. They compared how different ISPs responded to DNSChanger and what were the differences in the outcome.

Georgia Tech DNSChanger

You can download a presentation on their findings from here.

This research was originally presented at the M3AAWG 27th General Meeting in San Francisco.


South Korean Wipers and Spear Phishing E-mails Posted by Brod @ 09:43 GMT

News broke last week of a "wiper" malware that affected South Korean banks and broadcasting companies. NSHC Red Alert Team has published a detailed analysis of the malware here. There were several hashes mentioned for the same component, which suggest multiple operations under the same campaign.

So how did the affected companies get infected? No one knows for sure. However we came across the following archive:


The filename of the archive roughly translate to "The customer's account history". As a side note, Shinhan bank was one of the affected companies according to reports.

Those with keen eye would notice that the malware inside the archive is using double extensions combined with a very long filename to hide the real extension. This is a common social engineering tactic that started during the era of mass mailing worms almost a decade ago. Therefore we believe the archive is most likely sent as attachment in spear phishing e-mails.

The malware has a datestamp of March 17, 2013, which is just few days before the incidents. It uses the icon of Internet Explorer and opens the following decoy upon execution:

HTML decoy document

In the background, the malware downloads and executes the following:

   saved as %systemdirectory%\hzcompl.dll

   saved as %systemdirectory%\%random%.dll

   saved as %systemdirectory%\sotd.dll

Several other HTTP requests are also made, possibly to download other dependencies of the payloads or simply to obscure the malicious requests from admins monitoring the network traffic.

The URLS are either already down or cleaned during our analysis. However the filenames still gave us some clue on the styles of the attacker. For example the file extensions suggest that the payload may be a DLL file. Also "btn_mycomputer.gif" suggest that the payload may disguise as an image of a button in a URL. Since we are investigating for possible links to the wiper payloads, we started looking at existing samples.

Although we were not able to find exact matches, there were a couple variants of the wiper component that matches the style. The first uses a similarly themed filename called "mb_join.gif" which may be trying to disguise as an image of a join button on some mobile banking website. The other is a time triggered DLL sample:

Time trigger

The code above is equivalent to "(month * 100 + day) * 100 + hour >= 32,015" which will only be satisfied during March 20 15:00 and later.

Besides spear phishing e-mails, not all affected systems need to get infected themselves. Some variants also wipe remote systems using credentials found in configuration files of certain SSH clients installed in infected systems. Therefore an affected system can simply have one of its user, who uses a vulnerable SSH client, infected for it to get toasted!

It is interesting to note that Felix Deimel and VanDyke SSH clients as well as the RAR archive were used in the attacks. These are either third party applications or not supported by Windows natively. Not to mention the attacks specifically wipe remote Linux and Unix based systems. All these specifics give the impression of a targeted attack.


Friday, March 22, 2013

Online World Posted by Mikko @ 13:54 GMT

The real world isn't like the online world.

In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.

Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers, but by professional criminals who are making millions with their attacks. These criminals want access to your computer, your PayPal passwords, and your credit card numbers.

I spend a big part of my life on the road, and I've visited many of the locations that are considered to be hotspots of online criminal activity. I've met the underground and I've met the cops. And I've learned that things are never as simple as they seem from the surface. One would think that the epicenter for banking attacks, for example, would prioritize fighting them, right?

Right, but dig deeper and complications emerge. A good example is a discussion I had with a cybercrime investigator in Brazil. We spoke about the problems in Brazil and how Sao Paolo has become one of the largest source of banking Trojans in the world.

The investigator looked at me and said, "Yes. I understand that. But what you need to understand is that Sao Paolo is also one of the murder capitals of the world. People are regularly gunned down on the streets. So where exactly should we put our resources? To fight cybercrime? Or to fight crimes where people die?"

It's all a matter of balancing. When you balance the damage done by cybercrime and compare it to a loss of life, it's pretty obvious what's more important.

National police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. They have limited resources and expertise to investigate online criminal activity. The victims, police, prosecutors, and judges rarely uncover the full scope of the crimes that often take place across international boundaries. Action against the criminals is too slow, the arrests are few and far between, and too often the penalties are very light, especially compared with those attached to real-world crimes.

Because of the low prioritization for prosecuting cybercriminals and the delays in launching effective cybercrime penalties, we are thereby sending the wrong message to the criminals and that's why online crime is growing so fast. Right now would-be online criminals can see that the likelihood of their getting caught and punished is vanishingly small, yet the profits are great.

The reality for those in positions such as the Sao Paolo investigator is that they must balance both fiscal constraints and resource limitations. They simply cannot, organizationally, respond to every type of threat. If we are to keep up with the cybercriminals, the key is cooperation. The good news is that the computer security industry is quite unique in the way direct competitors help each other. It's not publicly known, but security companies help each other out all the time.

On the surface, computer security vendors are direct competitors. And in fact, the competition is fierce on the sales and marketing side. But on the technical side, we're actually very friendly to each other. It seems that everyone knows everyone else. After all, there are only a few hundred top-level antivirus analysts in the whole world.

These analysts meet in face-to-face private meetings, closed workshops, and at security conferences. We run encrypted and closed mailing lists. We chat in secure online systems. And in these venues we exchange information on what's happening.

On the surface, this doesn't seem to make sense. Why do we cooperate with our competitors to such a large extent? I believe it's because we have a common enemy.

You see, normal software companies do not have enemies, just competitors. In our business, it's different. Obviously we have competitors, but they are not our main problem. Our main problem is the virus writers, the bot authors, the spammers, and the phishers. They hate us. They often attack us directly. And it's our job to try to keep them at bay and do what we can to protect our customers from them.

In this job, all the vendors are in the same boat. This is why we help each other.

And we need all the help we can get to keep up with the changing landscape of online attacks.

All this is happening right now, during our generation. We were the first generation that got online. We should do what we can to secure the net so that it will be there for future generations to enjoy.

Mikko Hypponen

This text was originally published as foreword in Christopher Elisan's book Malware, Rootkits & Botnets, A Beginner's Guide


Hackathon Malaysia 2013 Posted by SuGim @ 02:57 GMT

Are you ready for 24 hours of coding madness?

Hackathon 2013

Do you have what it takes to develop a killer app in 24 hours? Do you love innovation, coding and having fun altogether?

If you do, here's your chance to innovate and drive safe web applications to the next level. F-Secure Malaysia will once again be hosting the Hackathon event, where developers and their teammates spend 24 intense hours coming up with applications to make the web a safer place for us all.

This year's theme is "Securing service in the Web" and developers will be provided with a variety of API's to pull relevant details such as web reputation and real-time malware detection from our cloud network.

The event will be held at our Bangsar South, Kuala Lumpur office on April 12-13. The winner will be rewarded a dinner with our very own Mikko Hypponen, a great opportunity to pick the brain of a world-recognized malware researcher.

More details and sign-up are available at the Hackathon at F-Secure Malaysia campaign site.


Wednesday, March 20, 2013

Malware World Map, ASCII Edition Posted by Sean @ 13:21 GMT

A member of our Lab Development team — Jyrki — has given our malware world map a facelift.

ASCII interface, Linux distro, boots from USB drive.



Tuesday, March 19, 2013

Weev Gets 41 Months Posted by Sean @ 12:24 GMT

The rather pathetic story of Andrew Auernheimer, a.k.a. Weev, took another step yesterday when the unrepentant Internet troll was sentenced to 41 months in (U.S.) prison for one count of identity fraud and one count of unauthorized computer access.

We've posted about Weev in the past: Free Weev. Free Weev?

Free Weev, CFAA

Much of today's press coverage (and Twitter reaction) is singularly focused on the Computer Fraud and Abuse Act (CFAA) — which is the (vaguely written) law related to the count of unauthorized access.

Some folks are voicing concern that Weev's sentencing will have a "chilling effect" on security research.

But not to worry!

Almost all of the coverage we've seen really fails to consider the charge of identity fraud.

So here's a handy how-to guide on avoiding trouble when disclosing a security flaw:

  1.  Don't be an asshole troll.
  2.  When you discover a flaw, don't abuse it. Only do enough to demonstrate the problem, no more.
  3.  Don't collect, record, and then transmit personally identifiable information (PII) belonging to other people.
  4.  When contacting reporters, have them volunteer their own device IDs to demonstrate the flaw.



Friday, March 15, 2013

Apple Security: "Safe" Files Posted by Sean @ 14:22 GMT

Things that Apple's OS X 10.8.3 update patched — which may allow for arbitrary code execution — that are also on the "safe" file type list used by Mac browsers: ImageIO (picture); IOAcceleratorFamily (picture); PDFKit (PDF); QuickTime (movie).


Open "safe" files after downloading… on by default.

You may wish to consider unchecking that particular box.


About the Security Content of OS X Mountain Lion v10.8.3 Posted by Sean @ 09:27 GMT

Apple has released update v10.8.3 for OS X Mountain Lion. And as always, it's interesting to read about the security content.

The details about CoreTypes: CVE-2013-0967 really caught our attention:


"Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled."

Even if the Java plug-in is disabled?

That's interesting…


Wednesday, March 13, 2013

Flash Exploit Targets Uyghur Website Posted by Karmina @ 18:47 GMT

It seems that attacks against Uyghur haven't stopped. We have recently encountered a compromised Uyghur website that renders a malicious flash exploiting the CVE-2013-0634 vulnerability.

site (472k image)

The flash file contains two DLL files each embedded with EXE binaries. One DLL is for 32-bit systems, while the other appears to be for 64-bit systems.

hiew (75k image)

The executable binaries are also digitally signed with different certificates.

cert (116k image)

The sample signed with the invalid certificate from MGAME Corp. was the same one analyzed by FireEye more than a month ago. The other binary queries for updates.

Similar samples of these threats were also seen used in Tibetan targeted attacks.

Related samples:

  •  977bb28702256d7691c2c427600841c3c68c0152 – Exploit:SWF/Salama.B
  •  82b99d5872b6b5340f2c8c0877d6862a6b1f6076 – Trojan.Agent.AYYE
  •  040069e5ecf1110f6634961b349938682fee2a22 – Trojan.Generic.8698229
  •  35161bd83cbfe216a03d79e3f5efea34b62439a6 – Trojan:W32/Agent.DUJV
  •  ce54a99d0a29c945958228ae7d755519dee88c11 – Trojan.Agent.AYAF

Post by — Karmina and @Timo


You Only Click Twice Posted by Mikko @ 15:06 GMT

Once again, The Citizen Lab at the University of Toronto delivers impressive research into surveillance done with trojans and backdoors. They have today released a report called You Only Click Twice: FinFisher’s Global Proliferation.

You Only Click Twice

Next week, the Canada Centre for Global Security at the University of Toronto will be hosting Cyber Dialogue 2013, a conference focusing on cyberspace security and governance.

On Monday the 18th, I'll be participating in a panel called "The Digital Arms Trade" with Dmitri Alperovitch, Shelly Han, Eric King, Morgan Marquis-Boire, Chris Soghoian, and Lhadon Tethong.



Tuesday, March 12, 2013

Exploit Kit Distribution in the Wild Posted by Karmina @ 16:54 GMT

Have you ever wondered which exploit kits are the most prevalent?

We have been tracking several exploit kits that we have identified these past few months and it's interesting to see which gets the biggest chunk of the pie:

Exploit kit chart

56% of the coverage is owned by only three exploit kits: Blackhole, Sweet Orange, and Cool.

Blackhole, a kit that has been around for almost three years, is still keeping a strong presence at no. 1 with 27% of the exploit kit coverage. Followed by Sweet Orange with 18% and Cool with 11%.


Monday, March 11, 2013

Google Play: Potentially Unwanted Posted by Sean @ 16:12 GMT

Google Play has a problem — and it isn't malware.

Depending on location, Potentially Unwanted Applications (PUA) can be rather difficult to avoid.

Here's a screenshot of User Reviews from a "weather widget" application:

Google Play, User Reviews, English

In English (both U.S. and U.K.), there are eight user reviews. Just eight. Even if you click on a link to "Read All User Reviews".

But if you use the Danish UI… this is one additional review you'll see:

Google Play, User Reviews, Danish

And it's good that Danes can see it, because the reviewer explains it's a "nice" app that uses push notifications to drop spam ads, one of which presented his ten year-old daughter with an offer to win an iPad. The daughter provided her father's phone number… and it ended up costing 150 Danish Krone (about 26 USD).

Worst of all — this weather widget app is the second result among free apps if Danes search for "vejr".

More popular, and far more reputable, applications such as "AccuWeather" (TM) haven't done Search Engine Optimization for the Danish market and so end up lower in "relevant" results.

Here are the Russian user reviews:

Google Play, User Reviews, Russian

There's a word being repeated in the reviews: вирус — that's Russian for "virus".

Which technically, it isn't — even if it is using notifications to drop spam ads to sites which use multiple redirects to enable geo-aware affiliate schemes. Not a virus — but definitely unwanted.

That's the way a lot of "free" applications are in Google Play. Results vary by location. In Finland, this PUA drops notifications which redirect to a poker app, which involves little more than a commission being paid out if the poker application is installed. In Denmark, the notifications sometimes redirect to SMS billing schemes. In Russia… well, it could redirect to almost anything.

There's no way to know what you'll get until you get it.

And unfortunately Google Play doesn't provide tools to avoid those attempting to game the system.

Here's a Google Play search result:

Google Play, We couldn't find anything for your search

Hmm, couldn't find anything.

Google Play lacks useful tools or even a decent set of sort options. But then — if one could sort through Play results — fewer searches would be generated which the world's biggest advertising company could then use to profile its users. Fewer searches equals fewer data points. Search is for better or worse part of the Android experience.

Google doesn't do sort.

So search it is. But it's somewhat strange that neither Google Translate nor Maps are used to enhance the Play experience.

Translate — is there some reason why the company whose Chrome browser offers to translate almost everything can't be bothered to translate (or even offer to display) all of its Play reviews?

Maps — this is just an educated guess, but many positive reviews for apps of questionable quality are probably from the developer's back yard. Personally, we'd like to see where the reviewers are located. A feedback map would be much more useful than the current bar graph.

Google Play: there's room for improvement.


Friday, March 8, 2013

Mobile Threat Report Q4 2012 Posted by Sean @ 15:58 GMT

Our Mobile Threat Report Q4 2012 was published yesterday.

Mobile Threat Report Q4 2012

The Mobile Threat Report is a Product of F-Secure Labs.

No team outside of F-Secure Labs reviewed its content prior to publication… other than a fellow on the brand team who offered some guidance on our use of logos and color.

Also check out the mobile section of our generally focused H2 Threat Report for additional context on the mobile malware scene.



Thursday, March 7, 2013

Mobile Bot "Perkele Lite" [Android Only] Posted by Sean @ 10:44 GMT

Here's some evidence of Android malware commoditization — an ad for "Perkele Lite" — a kit to generate trojans which catch and forward SMS messages. Quite useful in cracking two factor authentications.

Perkele Lite

For more information, see: Krebs on Security.


Wednesday, March 6, 2013

Webinar: Thursday, March 7th Posted by Sean @ 13:16 GMT

F-Secure Labs is hosting a webinar — featuring Mikko Hypponen — on the 7th of March. That's tomorrow!

The event will start at 17:00 (EET) from our Helsinki lab, so whether you're in Asia or America, you can participate without losing too much sleep. Here's a time difference calculator you can use for your area.

Hear it Straight from the Labs

Registration is free: click here for details.


Mobile Threat Report Q4 2012: What's in our brand-new report? (Available on Thursday.) Hear the latest on Android and Symbian, mobile banking trojans, and more.

Click-Fraud: Advertising click-fraud is a complex and innovative crime. What does it involve and how did it get this way?

Fighting Bots on Your Computers and Phone: Windows-based botnets are a major problem. What can we do to fight them? And how can we prevent our phones from becoming the next battleground?

Hacking Disclosures and the Implications: Twitter, Facebook, Apple, Microsoft, and Evernote have all been compromised. How did it happen? What are the issues? Who else may be affected? And what does it mean for the rest of us?



Tuesday, March 5, 2013

Flash: Click to Play Posted by Sean @ 16:57 GMT

Adobe released several security updates for its Flash Player during February.

Security bulletin APSB13-04:

"Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content."

Adobe APSB13-04

Attacks on Macs via Firefox and Safari are something we noted on February 8th.

Security bulletin APSB13-08:

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content. The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser."

Adobe APSB13-08

"This update resolves a permissions issue with the Flash Player Firefox sandbox (CVE-2013-0643)."

Breaking out of Firefox's sandbox? Not good.

Fortunately, Flash Player auto-updates rather well on Windows.

And on Macs, Apple is now blocking old versions with its XProtect component.

Apple staggered the requirement, and started with version 11.5.502.149:

XProtect 2013.02.26

The minimum version required is now 11.6.602.171, which is the most recent:

XProtect 2013.02.28

Updates and minimum requirements are great, but there is something else Chrome and Firefox users can take advantage of: click to play. Turning on click to play will limit plugins from running unless it's actually something that the user wants to run.

For Chrome, go to "chrome://settings/content" and look for Plug-ins:


For Firefox, open the about:config settings page and look for "plugins.click_to_play" and set the value to true.

Firefox, plugins.click_to_play


Monday, March 4, 2013

Evernote Hacked: 50 Million E-mail Addresses Exposed Posted by Sean @ 13:29 GMT

Evernote is now officially a member of the recently hacked. The company develops software for notetaking and archiving.

Its customers received password reset notifications over the weekend. Almost 50 million e-mail addresses and usernames have also been exposed by the hack. Evernote customers should therefore be wary of targeted phishing attacks.

Evernote Security Notice

How was Evernote hacked? Its security notice doesn't offer any details.

But… here's Evernote CEO Phil Libin (surrounded by Macs):

Evernote CEO Phil Libin
Business Insider: Take A Tour Of The Office Where The Most Useful iPhone App In The World Is Made

So… our guess is that one (or more) of Evernote's mobile phone app developer's Macs was compromised via a watering hole attack.