NEWS FROM THE LAB - March 2014


Tuesday, March 25, 2014

Gameover ZeuS Targets Monster Posted by Sean @ 11:57 GMT

Recently, we obtained a current Gameover ZeuS configuration file and we noticed that in addition to CareerBuilder — Gameover now also targets Monster.

Here's the legit URL:

A computer infected with Gameover ZeuS will inject a new "Sign In" button, but the page looks otherwise identical:, gameover

And then the following "security questions" are requested via an injected form:, gameover question injection

Here's the full list:

  •  In what City / Town does your nearest sibling live?
  •  In what City / Town was your first job?
  •  In what city did you meet your spouse/significant other?
  •  In what city or town did your mother and father meet?
  •  What are the last 5 digits / letters of your driver\'s license number?
  •  What is the first name of the boy or girl that you first dated?
  •  What is the first name of your first supervisor?
  •  What is the name of the first school you attended?
  •  What is the name of the school that you attended aged 14-16?
  •  What is the name of the street that you grew up on?
  •  What is the name of your favorite childhood friend?
  •  What is the street number of the first house you remember living in?
  •  What is your oldest sibling\'s birthday month and year? (e.g., January 1900)
  •  What is your youngest sibling\'s birthday?
  •  What month and day is your anniversary? (ie. January 2)
  •  What was the city where you were married?
  •  What was the first musical concert that you attended?
  •  What was your favorite activity in school?

A cookie called "qasent" is spawned by the process.

HR recruiters with website accounts should be wary of any such irregularities. If the account is potentially tied to a bank account and a spending budget … it's a target for banking trojans.

It wouldn't be a bad idea for sites such as Monster to introduce two factor authentication, beyond mere security questions.


Analysis by — Mikko Suominen


Thursday, March 20, 2014

Vero Phishing Sighted Posted by Karmina @ 11:08 GMT

It's not exactly the perfect timing for tax refunds in Finland, but that did not deter impatient phishers. Earlier today, we received a tip regarding an e-mail that has been going around pretending to be a Vero refund.

When the link on the page is visited, the user will end up in a page that looks like this:

It contains all the fields that the user of course needs to fill up, not to get a refund, but to give their credit card numbers and personal information away.

Folks, please delete that e-mail. It's not from Vero.

Post by — Christine


Friday, March 14, 2014

Gameover ZeuS Jumps on the Bitcoin Bandwagon Posted by Sean @ 11:14 GMT

We're always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.

Very interesting, indeed.

Here's a screenshot of the decrypted strings:

Gameover ZeuS Bitcoin strings

  •  aBitcoinQt_exe
  •  aBitcoind_exe
  •  aWallet_dat
  •  aBitcoinWallet
  •  aBitcoinWalle_0

Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.

Analysis is ongoing.

Here's the SHA1: 657b1dd40a4addc1a6da0fb50ee6e325fff84dc4

Analysis by — Mikko Suominen

Updated to add:

Gameover ZeuS can now steal both Bitcoin wallets and the passwords used to encrypt them.

Theft is accomplished by hooking two functions in processes named bitcoin-qt.exe (the normal GUI client) and bitcoind.exe (the client used for Bitcoin mining). The hooked functions are:

  •  The Windows API NtCreateFile
  •  A function in the Bitcoin process that is called when the user encrypts his Bitcoin wallet

The first hook enables Gameover ZeuS to steal the content of the Bitcoin wallet as the Bitcoin client accesses it. The second hook enables Gameover ZeuS to steal the password the victim uses to encrypt his wallet.


Thursday, March 13, 2014

On NSA Hijacking of IRC Bots Posted by Sean @ 14:03 GMT

Hijacking a botnet. Is it ethical? No.

Not without very careful coordination with law enforcement — and in that case, you want to shut it down.

You don't want to hijack it. At least… not if you're ethical.

But what if you're an intelligence agency?

When then apparently the answer is: absolutely, yes.

According to recently disclosed documents, the NSA had hijacked up to 140,000 bots by 2007.

Quantumbot, Takes control of idle IRC bots


Quantumbot, Highly Successful
Source: There Is More Than One Way to Quantum

And they didn't stop in 2007. Another document includes details about Quantumbot 2.

Combination of Q-Bot/Q-Biscuit
Source: The NSA and GCHQ’s QUANTUMTHEORY Hacking Tactics

The NSA: a morally and ethically bankrupt institution that makes others feel silly for bothering with due process.



Wednesday, March 12, 2014

Governments, The Web and Surveillance Posted by Mikko @ 10:35 GMT

When the web became commonplace, the decision-makers ignored it, considering it irrelevant. As a result, freedom flourished online. People weren't just consuming content; they were creating it.

But, eventually, politicians and leaders realised how important the internet is. And they realised how useful the internet can be for other purposes — especially for surveillance of citizens. The two chief inventions of our generation — the internet and the mobile phone — changed the world. However, they both turned out to be perfect tools for the surveillance state. And in such a state, everybody is assumed guilty.

US intelligence agencies have a full legal right to monitor foreigners — and most of us are foreigners to the Americans. So when we use US-based services, we are under surveillance — and most of the services we use are US-based.

Advancements in computing power and data storage have made wholesale surveillance possible. But they've also made leaking possible, which will keep organisations worrying about getting caught over any wrongdoing. The future of the web is hanging in the balance between parties that want to keep us under surveillance and parties that want to reveal the nature of such surveillance. Both parties have the data revolution on their side.

While governments are watching over us, they know we're watching over them.

Mikko Hypponen

This column was originally published in Wired's Web at 25 Special. Be sure to read the other columns from Tim Berners-Lee, Jimmy Wales, Vint Cerf and others


Tuesday, March 11, 2014

How many Beliebers will blindly click on a link? Posted by Sean @ 14:02 GMT

Somebody with access to Justin Bieber's Twitter account was "hacked" on March 8th. And for a brief period of time, the attacker was able to publish as Bieber. It's hardly worth mentioning except for the fact that the Tweets included a link — and offers a few interesting statistics.

How many Beliebers clicked on the links?


70,381 in total.

And where did the clicks come from?


The USA was the source of nearly 24,000 clicks. (Finland apparently has 348 true Beliebers.)


70 thousand clicks from more than 50 millions followers — that's not a very big percentage overall. But still, not a bad result for the spammer considering the account was only compromised for 15 minutes.

You can examine the stats for yourself at: (for now).


Monday, March 10, 2014

Download: Threat Report Posted by Sean @ 18:24 GMT

Our Threat Report covering the second half of 2013 (with some forecasting of 2014) was released last week.

F-Secure Labs Threat Report for H2 2013

You'll find it, and all of our previous reports in the Labs section of


Monday, March 3, 2014

Tuesday: Threat Report Webinar Posted by Sean @ 13:53 GMT

We'll be having a discussion about our forthcoming H2 Threat Report tomorrow: Tuesday, March 4th, at 15:00 GMT.

Threat Report Webinar

The details are available via Google Plus.

Including how you can view the live stream without logging into Google Plus…