NEWS FROM THE LAB - March 2015


Thursday, March 19, 2015

Our VPN Service Takes Your Privacy Seriously Posted by Sean @ 15:26 GMT

TorrentFreak recently asked "leading [VPN] providers about their logging practices and other privacy sensitive policies."

TorrentFreak Questions

Questions such as:

1 — Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2 — Under what jurisdiction(s) does your company operate?

3 — What tools are used to monitor and mitigate abuse of your service?

The folks responsible for our Freedome VPN answered:

TorrentFreak Answers

Read all the questions/answers at TorrentFreak and/or our Safe and Savvy blog.


Friday, March 13, 2015

Variants of Ransomware Targeting Video Game Files Posted by Sean @ 12:09 GMT

"Free" Decryption — but you'll need to pay a ransom first.

Free Decryption

The image above is from the Web interface of a ransomware scheme that is targeting video game files (among others).

Details here and here.

Protip: backup — all — of your important stuff.


Thursday, March 12, 2015

Nordea Phishing Campaign Continues Posted by FSLabs @ 15:29 GMT

Just when we thought this Nordea phishing campaign is over, it reared its ugly head once again. It made its comeback on March 5th.

first_seen (33k image)

The phishing site looks pretty similar to the actual Nordea Finnish website.

site (66k image)

Many of us in the Labs are Nordea customers, so we know that if the perpetrator is able to steal information from this page, there is nothing else they can do other than login to accounts once and check the balance. They will be unable to do any transactions since they would need more than one pin number.

However, the ones behind this did their homework.

If someone falls victim to this attack, they will be led to yet another page that asks for the previous pin and the next four pins.

first_error_page (29k image)

After this page, the victim will be asked for the last 4 digits of their credit card and CVV.

second_error_page (11k image)

Once all those information are stolen, the fake page will redirect to the real Nordea website.

redirection (17k image)

As expected, for the last 7 days, majority of the phishing site visitors were from Finland.

visits (12k image)

We do have a detection already that covers this.

wts_block (61k image)

And it's good to note that if you are using our product, when you visit the real Nordea bank, Banking Protection will trigger and isolate unknown traffic during your banking session.

nordea_real (61k image)


Tuesday, March 10, 2015

Twitter Now Tracking User IP Addresses Posted by Sean @ 13:48 GMT

On Monday, I was testing our Freedome VPN for Windows and eventually… I forgot that I was using our London exit node.

Freedome for Windows, London

And then I attempted to log in to Twitter.

This was the result:

Twitter, Verify your identity

And then I received this message via e-mail:

5ean5ullivan, Reset your password

An unusual device or location?

In order to determine that I was attempting to log in from an "unusual" location, Twitter must be keeping a history of my previous IP addresses to compare against. This type of security feature is not new, Facebook has been doing this sort of thing for years already. But I've not yet seen it from Twitter. (A few years ago, Twitter seemed to be actively against such an idea.) Unlike Facebook, I don't see anyplace from which I can download my own connection history. Previous IP addresses used are available to those who download a Facebook archive. But IP address information isn't in the Twitter archive that I downloaded today.

So then the questions I now have for Twitter is this: for how long have my connections been logged and tracked? And when will a copy of the data be available to me?

March 11th update:

Eagle-eyed reader Tero Alhonen found the answer to one of my questions in Twitter's Privacy Policy.

Twitter's Privacy Policy, Log Data

Twitter "may" receive information such as IP address and will "either delete Log Data or remove any common account identifiers" "after 18 months." The language about 18 months was first included in version 5 of the policy, June 23, 2011.

So then that just leaves this question: can I please get a copy of the data?

Post by — Sean


Friday, March 6, 2015

Ransomware Report: The Rise of BandarChor Posted by FSLabs @ 16:45 GMT

This week, we have received a number of reports on yet another ransomware, BandarChor.

This ransomware is not exactly fresh. The first infections that we've noticed related to this family came already last November.


We have had reports of BandarChor being spread via email and have seen indicators that it may have been distributed by exploit kits.

Upon execution, the malware drops a copy of itself in Startup directory as well as the ransom notification image.


Then it proceeds in its attempt to encrypt files with various file extensions such as: doc, xls, jpg and the like.


After encryption, the files will be renamed as [filename].id-[ID]


Then it reports the user's computer name and ID to a remote location via HTTP POST.


Here's what the ransom message looks like.

Here's a list of other domains that we've seen related to this threat:


We are detecting this threat as Trojan:W32/BandarChor.


  •  31aa8ec187e1241a94127336996f9cb38719eb9b
  •  4b356b88fb3a3dce1f009e4e92cd4a59383e0764
  •  5f71be645e8ac995555a891087b46ed357386dbe
  •  afd4216e93a82feebafd3a68e9308ca4b0b54372
  •  b4362fcd75fd071fc8237c543c56df5736b8e177
  •  ba8909eef5ee280ae43b935cf4ae38ccf21bde56
  •  de7ced27456a1e4581d6a4bf126f56061b7f9859


Is Babar a Bunny? Posted by FSLabs @ 09:37 GMT

Lately there has been a lot of research and publicity around a strange case of Babar, a malware connected to suspected high-level espionage operation called SNOWGLOBE.

SNOWGLOBE was first brought to media attention about a year ago by French newspaper Le Monde, when they wrote about top secret SCEC slides leaked by, who else than Edward Snowden himself. In the set of slides, there are numerous claims about French-originating malware which internally calls itself Babar. It didn't take a long time for the security community to dig out samples resembling Babar [1] [2] [3].

What exactly can we say about Bunny and its connection to Babar? For Bunny and EvilBunny, we have a lot of research available, so it is already quite known to the security community. But when it comes to Babar, we only have screenshots of the mysterious top secret slides. However, there is now enough correlation to say with a high level of probability that Bunny and Babar, as described in the SCEC slides, belong to same family of espionage tools.

Fact 1. Both operations seem to be active mostly 2010-2011. This is evident from Bunny PE header timestamps, and the CSEC slides are from 2011.

Fact 2. Some Bunny samples present the same typing error in User-Agent as document in the slides (MSI instead of MSIE, see the SCEC slide SNOWBALL Beacons). Doesn't sound like a coincidence.

MSI (81k image)

Fact 3. One of the samples connected to Bunny drop a file named ntrass.exe, also mentioned in the SCEC slides. Doesn't sound like a coincidence.

Fact 4. Latest findings from the Bunny family actually reveal another internal project name: Babar64 [2] [3]. Doesn't sound like a coincidence.

Fact 5. Bunnies and little elephants are both cute and fluffy little animals. Very unusual in the APT world.

Also, it can be said with a high likelihood that this malware originates from France. Some of the Bunny samples use Accept-Language: fr in the HTTP headers. There are also some really strange decisions in the internal namings, like for example naming task threads as "hearer" [1]. In the English-speaking software development world, this kind of task is usually named as "listener" or "monitor". "Hearer" isn't exactly one of the default terms used by an English-speaking developer. It sounds more like a non-native English speaker who used a literal translation of a language they are used to. For example, French "auditeur" translates to "auditor, listener, hearer".

But there are some things we cannot say about the connection. First off, the slides themselves do not name any specific actor, so rumors about French Intelligence are not based on sound facts at the moment. The fact that Bunny uses the Lua programming language for extending its capabilities also adds up to the mess (remember Flame?). Also, it should be noted that all the juicy pieces of attribution are in the slides, so we don't have first hand evidence about that. There is also something to think about the complexity level of Bunny. It is nowhere near the level of the high-profile APT's, such as Turla and Equation. But that doesn't of course mean that there couldn't be a high-profile actor behind SNOWGLOBE. Sometimes it just makes one wonder why these people make the tools so obvious, like a glowing Christmas tree in the dark.


  •  2c678924a3d4307644208b199afd20940c058b62
  •  c923e15718926bb4a80a29017d5b35bb841bd246


Wednesday, March 4, 2015

Malicious DNS Servers Deliver Fareit Posted by FSLabs @ 16:04 GMT

Last year we wrote about Fareit being massively spammed.

A couple of months later, they added another means of infecting systems - via malicious DNS servers.

When the DNS server settings has been changed to point to a malicious server used by Fareit, the unsuspecting user visiting common websites gets an alert saying "WARNING! Your Flash Player may be out of date. Please update to continue".

_flash_update_chrome (2k image)

A "Flash Player Pro" download page will be shown pretending to be served from the website that the user is trying to visit.

_setupimg (90k image)

Downloading the "setup.exe" file does not really pull any binary from Google. Instead, the user will end up with a copy of Fareit from a malicious IP. Fareit is an information stealer and downloader.

_urls_1 (72k image)

The recent samples that we've encountered connect and download from:

Fareit infections via malicious DNS servers that we have seen were mostly from Poland.

_map (91k image)

From the beginning of the year, we've observed that users were redirected to these IPs:

While here are some of the reported malicious DNS servers:

If you would like to know more about your current DNS server settings, you can try out our beta tool which is available here.

If you've determined that your DNS server settings are affected, we recommend that you try these steps:
Disconnecting the router from the Internet and resetting it
Changing the password on the router, especially if it is still the default password
Disabling remote administration on the router
Checking and updating the router to use the latest firmware
Rebooting a desktop system to flush the DNS cache
Scanning the desktop system using a trusted, up-to-date antivirus program


Monday, March 2, 2015

How To Keep Your Smart Home Safe Posted by Mika @ 22:11 GMT

The Internet of Things (IoT) devices can help you save time and hassle and improve your quality of life. As an example, you can check the contents of your fridge and turn on the oven while at the grocery store thus saving money, uncertainty, and time when preparing dinner for your family. This is great and many people will benefit from features like these. However, as with all changes, along with the opportunity there are risks. Particularly there are risks to your online security and privacy but some of these risks extend to the physical World as well. As an example, the possibility to remotely open your front door lock for the plumber can be a great time saver but it also means that by hacking your cloud accounts it will be possible for also the hackers to open your door -- and possibly sell access to your home on dark markets. And it's not just about hacking: These gadgets collect data about what's happening in your home and life and hence they themselves present a risk to your privacy.

Example of a smart home set up

Image: The above image shows a typical smart home configuration and the kinds of attacks it can face. While the smart home is not a target at the moment due to its low adoption rate and high fragmentation, all of the layers can be attacked with existing techniques.

If you are extremely worried about your privacy and security, the only way to really stay safe is to not buy and use these gadgets. However, for most people, the time-saving convenience benefits of IoT and the Smart Home will outweigh most privacy and security implications. Also, IoT devices are not widely targeted at the moment and even when they are, the attackers are after the computing power of the device -- not yet your data or your home. Actually, the biggest risk right now comes from the way how the manufacturers of these devices handle your personal data. This all said, you shouldn't just blindly jump in. There are some things that you can do to reduce the risks:

•  Do not connect these devices directly to public internet addresses. Use a firewall or at least a NAT (Network Address Translation) router in front of the devices to make sure they are not discoverable from the Internet. You should disable UPnP (Universal Plug and Play) on your router if you want to make sure the devices cannot open a port on your public internet address.

•  Go through the privacy and security settings of the device or service and remove everything you don't need. For many of these devices the currently available settings are precious few, however. Shut down features you don't need if you think they might have any privacy implications. For example, do you really use the voice commands feature in your Smart TV or gaming console? If you never use it, just disable it. You can always enable it back if you want to give the feature a try later.

•  When you register to the cloud service of the IoT device, use a strong and unique password and keep it safe. Change the password if you think there is a risk someone managed to spy it. Also, as all of these services allow for a password reset through your email account, make sure you secure the email account with a truly strong password and keep the password safe. Use 2-factor authentication (2FA) where available -- and for most popular email services it is available today.

•  Keep your PCs, tablets, and mobile phones clear of malware. Malware often steals passwords and may hence steal the password to your smart home service or the email account linked to it. You need to install security software onto devices where you use the passwords, keep your software updated with the latest security fixes, and, as an example, make sure you don't click on links or attachments in weird spam emails.

•  Think carefully if you really want to use remotely accessible smart locks on your home doors. If you're one of those people who leave the key under the door mat or the flower pot, you're probably safer with a smart lock, though.

•  If you install security cameras and nannycams, disconnect them from the network when you have no need for them. Consider doing the same for devices that constantly send audio from your home to the cloud unless you really do use them all the time. Remember that most IoT devices don't have much computing power and hence the audio and video processing is most likely done on some server in the cloud.

•  Use encryption (preferably WPA2) in your home Wi-Fi. Use a strong Wi-Fi passphrase and keep it safe. Without a passphrase, with a weak passphrase, or when using an obsolete protocol such as WEP, your home Wi-Fi becomes an open network from a security perspective.

•  Be careful when using Open Wi-Fi networks such as the network in a coffee shop, a shopping mall, or a hotel. If you or your applications send your passwords in clear text, they can be stolen and you may become a victim of a Man-in-the-Middle (MitM) attack. Use a VPN application always when using Open Wi-Fi. Again, your passwords are they key to your identity and also to your personal Internet of Things.

•  Limit your attack surface. Don't install devices you know you're not going to need. Shut down and remove all devices that you no longer need or use. When you buy a top of the line washing machine, and you notice it can be connected through Wi-Fi, consider if you really want and need to connect it before you do. Disconnect the device from the network once you realize you actually don't use the online features at all.

•  When selecting which manufacturer you buy your device from, check what they say about security and privacy and what their privacy principles are. Was the product rushed to the market and were any security corners cut? What is the motivation of the manufacturer to process your data? Do they sell it onwards to advertisers? Do they store any of your data and where do they store it?

•  Go to your home router settings today. Make sure you disable services that are exposed to the Internet -- the WAN interface. Change the admin password to something strong and unique. Check that the DNS setting of the router points to your ISP's DNS server or some open service like OpenDNS or Google DNS and hasn't been tampered with.

•  Make sure you keep your router's firmware up-to-date and consider replacing the router with a new one, especially, if the manufacturer no longer provides security updates. Consider moving away from a manufacturer that doesn't do security updates or stops them after two years. The security of your home network starts from the router and the router is exposed to the Internet.

The above list of actions is extensive and maybe a bit on the "band-aid on the webcam"-paranoid side. However, it should give you an idea of what kinds of things you can do to stay in control of your security and privacy when taking a leap to the Internet of Things. Security in the IoT World is not that different from earlier: Your passwords are also very important in IoT as is the principle of deploying security patches and turning off services you don't need.