NEWS FROM THE LAB - April 2012


Monday, April 30, 2012

Omaha, Nebraska is a Hotbed of Cybercrime Investigation Posted by Sean @ 13:56 GMT

Regular readers of Krebs on Security will know that small and medium sized businesses and organizations have been the target of cybercrime gangs for several years now. What you might not know is which law enforcement agency investigates those crimes.

It turns out that many ZeuS banking trojan investigations were done by the (little known) Omaha (Nebraska, USA) office of the FBI. The FBI's special agent in charge, Weysan Dun retired on Friday, and gave an interview to the Omaha World-Herald. FBI Special Agent Dun

It's a good read. And a real eye-opener for anybody working for an SMB.

Wanted, Money Mules
Wanted: Money Mules

Our favorite bit of trivia from the article: Brian Krebs apparently traumatizes small business owners with tales of banking trojan terror if they end up sitting next to him on airplanes…


Wednesday, April 25, 2012

Kickstarting a Movie About Cybercrime Posted by Mikko @ 13:47 GMT

Filmmakers Charles and Walker Koppelman are working on a new movie project about cybercrime. We've met with Charles and the project seems really interesting.

The project is still underway, and now the filmmakers are looking for additional funding via crowdsourcing. Check out the current status of the project at Kickstarter. If you feel like it, you can fund part of the movie.

Kickstarter - Koppelman


Tuesday, April 24, 2012

A Tumblr of Rogues Posted by Karmina @ 15:48 GMT

Rogue antivirus has not really taken much attention recently, probably because they are no longer boldly screaming in everyone's faces, as compared to the time a couple of years ago when most trending topics produced massive amounts of blackhat SEO-poisoned URLs.

So where are they lurking nowadays?

They are still using the SEO-poisoning method, of course. They do need to gain some visibility after all. But in addition to the usual compromised domains, they are now happily residing in Tumblr.

The screenshot below is taken from one of the several rogue-pushing Tumblr accounts:


And well, as an Internet user, when we are presented with a video and a play button in the middle what do we do? We click it! Right? And the video will promptly play… well, not this time. That "video" is actually an image. So, that innocent click activates the malware and will take you to a page which redirects to an exploit page and finally to a rogue antivirus.


It downloads a file named YvMiN.jar, which exploits Java vulnerability CVE-2012-0507. In addition, if the browser used is not Chrome, additional files (named DoNbI.pdf and hCJkApns.pdf) are also downloaded, which then exploit vulnerabilities in Adobe Reader, specifically CVE-2008-2992, CVE-2007-5659, and CVE-2010-0188.


Successful exploitation currently leads to a rogueware called Windows Performance Adviser.


So… tip of the day… if those wonderful videos are not on a trusted domain… don't click them… but… but… just don't. ;)

Safe surfing!


Confused News Regarding Police Ransom Trojans Posted by Mikko @ 13:20 GMT

Computer security is confusing. It's not a simple topic to write about. Mass media often gets the details wrong.

However, we rarely see as confused news articles as we have with Police Themed Ransomware.

So, what are these Police Themed Ransomwares? They are malicious trojans, spread by online criminals.

What do they do? They lock up your PC, claim that it was locked by the police as you had illegal content on your system and demand a payment to open up the PC.

We've written about such Police Themed Ransomware previously. For more details, see this blog post.

Obviously these police trojans have nothing to do with Bundespolizei, New Scotland Yard or the United States Department of Justice — they are just stealing their brand.

But today we saw news agency called ANI publish a confused wire story on the topic.

The story claims that "the scam is believed to come from Scotland Yard's specialist cyber crime officers, the Police Central e-Crime Unit" and "Scotland Yard has warned that police have detected paedophile or terrorist activity as being behind a virus".

ANI news

The story references an earlier article in The Telegraph, which does get the details correct.

And because ANI is a wire service, the story has already been reprinted across the web.

ANI news

No, these police trojans are not coming from the police. Trust us on this one.


Monday, April 23, 2012

Trojan:Java/SmsSy.A Targeting Devices with Java Midlet Installed Posted by ThreatSolutions @ 03:40 GMT

An SMS-sending Trojan, which targets mobile devices with Java midlet installed, has been circulating in Malaysia. Some victims reported that they have been receiving an SMS message which appears to be an update from Samsung.

trojan, Samsung update
A message that appears as an update from Samsung

But upon clicking the link, they are redirected to another link (http://mmgbu[...].com:90/[...].jar) that leads to a JAR file. This JAR file carries out the details for the malware to send SMS messages to multiple short numbers.

Upon execution, the trojan sends three SMS messages (most likely to premium numbers) without the user's consent. The contents and recipient numbers are as follows:

  •  "On GB" to 39914
  •  "On DF" to 39914
  •  "On HB" to 33499

Then, it will show a title of "HOT WEB DL" and images of ladies which are grouped into five selections: DANCE CLUB, BEACH GIRLS, FUNNY VIDEO, GT MODEL, and HOT CAM. Once the option is selected, it sends out SMS messages containing the string "On (content)" to (number), where the contents could be:

  •  HB
  •  MODEL
  •  LY
  •  AV
  •  GA

These messages are later sent out to the following numbers:

  •  33499
  •  33499
  •  36660
  •  36660
  •  36989

SmsSy manifest
A file containing the details on message contents and recipient numbers

SmsSy women
Images used by SmsSy.A

An analysis of another sample of the same trojan revealed that this one was assigned with a different set of contents and recipient numbers:

SmsSy manifest 2
Another sample of SmsSy.A was assigned with different set of contents and numbers

A different set of images used by SmsSy.A

We have properly rated the offending URL, and published the detection as Trojan:Java/SmsSy.A.

Sha1: 75a91ac99cb5bc2a755d452393d29fa66a323c3f
Sha1: bca72058af2a7ddb9577ecb9a61394a31aea5767

Threat Solutions post by — Jordan and Raulf


Thursday, April 19, 2012

Ransomcrypt Decryption Script Posted by Sean @ 15:35 GMT

Last week, we wrote about a ransom trojan called Trojan:W32/Ransomcrypt which encrypts documents, images, videos, et cetera and holds the files hostage for 50.


Ransomcrypt encrypts files using Tiny Encryption Algorithm (TEA). The key is formed from a "base key" which is modified based on the first character of the name of the file that is being encrypted to form a "file specific key". Both the base key and the file specific key are 16 bytes long.

Our analysts have created a decryption script, written in Python, for our support team. Fortunately, we've only seen a small number of customer cases. The decryption script works with two variants of Ransomcrypt.

  •  Trojan:W32/RansomCrypt.A, SHA1: b8f60c64c70f03c263bf9e9261aa157a73864aaf
  •  Trojan:W32/RansomCrypt.B, SHA1: 1e41e641e54bb6fb26b5706e39b90c93165bcb0b

Read the EULT here.

Download:, SHA1: 9ab467572691f9b6525cc8f76925757a543a95d8

Pay particular attention to the directive that you should first attempt to use this script on a copy of the encrypted files.

Do not use the "originals".


Tuesday, April 17, 2012

More Mac Malware Exploiting Java Posted by Brod @ 09:07 GMT

Reports of new Mac malware variants exploiting CVE-2012-0507 surfaced last week. The Java vulnerability is the same one used by Flashback to infect more than 600 thousand Macs.

The first new threat was analyzed by the folks at Trend Micro. The Java applet for Mac actually exploits CVE-2012-0507, and if successful, the payload is the same malware that AlienVault Labs discovered last month (being used in targeted attacks against human rights NGOs).

The second threat seems to be a completely new piece of malware at first. However, succeeding samples that have been collected reveal that the malware is also being dropped by the same word documents exploiting MS09-027/CVE-2009-0563, used to drop Backdoor:OSX/Olyx.C and Backdoor:OSX/MacKontrol.A. Which was also reported by AlienVault last month.

Both malware seem to be active at the moment and are controlled manually as observed by ESET and Kaspersky respectively. Both use the same malicious Java class dropper component. MD5: 5a7bafcf8f0f5289d079a9ce25459b4b

F-Secure antivirus detects these threats as Backdoor:OSX/Olyx.B and Backdoor:OSX/Sabpab.A.

MD5: 78f9bc441727544ebdc8374da4a48d3f – Backdoor:OSX/Olyx.B (also known as Lamadai.A)
MD5: 40c8786a4887a763d8f3e5243724d1c9 – Backdoor:OSX/Sabpab.A (also known as Lamadai.B)
MD5: 3aacd24db6804515b992147924ed3811 – Backdoor:OSX/Sabpab.A

These malware variants are being used in targeted attacks against Tibetan focused NGOs and are therefore very unlikely to be encountered "in-the-wild" by day to day Mac users. If you're a Mac using human rights lawyer however… your odds of exposure are another matter entirely. If you don't have it already, now is the time to install antivirus on your Mac.


Thursday, April 12, 2012

Trojan:W32/Ransomcrypt Posted by Sean @ 12:47 GMT

We are receiving reports of a ransom trojan, it's been circulating during the last two days.

When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called "HOW TO DECRYPT.TXT" which contains instructions on how to proceed. The bandit is demanding 50.

It drops a copy of itself in the system's temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted.

Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums.

Here's how encrypted files look once the trojan has done its work:


This is the content of the text file:

Attention! All your files are encrypted! You are using unlicensed programs! To restore your files and access them, send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail [removed] During the day you receive the answer with the code. You have 5 attempts to enter the code. If you exceed this of all data irretrievably spoiled. Be careful when you enter the code!



The "Error!" message that you'll get if the wrong password is input:


Another error message, repeating the demands found in the .txt file:


The encryption used by this trojan is not as complex as some other ransomware we've analyzed, such as Gpcode. Investigations to determine if its encryption can be cracked are ongoing.

SHA1: b8f60c64c70f03c263bf9e9261aa157a73864aaf

Analysis by — K.M. Chang


Wednesday, April 11, 2012

Flashback Removal Tool Posted by Mikko @ 15:48 GMT

We have created a free tool that automates the detection and removal of the widespread Flashback Mac OS X malware.

F-Secure Flashback removal tool

How to use the tools:

1) Download to the Mac machine you want to scan.
2) Double-click the zip package to unzip it in the current folder.
3) Double-click the FlashBack Removal app to run the tool.
4) Follow the instructions to check your system and clean any infections.

The tools creates a log file (RemoveFlashback.log) on current user's Desktop. If any infections are found, they are quarantined into an encrypted ZIP file ( to the current user's Home folder. The ZIP is encrypted with the password "infected".

Apple has announced that it's working on a fix for the malware, but has given no schedule for it.

About Flashback malware,

Quite surprisingly, Apple hasn't added detection for Flashback — by far the most widespread OS X malware ever — to the built-in XProtect OS X antivirus tool.

Also note that Apple has not provided a patch for the Java vulnerability used by Flashback for OS X v10.5 (or earlier). More than 16% of Macs still run OS X 10.5.

Chitika, March 2012, Mac OS X Verions

If you run an older version of Mac OS X, update to a current version. Or disable Java in your browser. Or uninstall Java. And run our free tool. And yes, we have a full-blown F-Secure Antivirus for Mac available as well.

Update: Small false positive fix. The tool linked above has been updated (April 12th). Version 1.1.0.

Update: April 13th, here's the link for Apple's security update:


Thursday, April 5, 2012

Mac Flashback Infections Posted by Sean @ 14:44 GMT

On Monday, we wrote about a variant of the Mac Flashback trojan that exploits a then unpatched Java vulnerability (CVE-2012-0507). Apple released its security update on Tuesday. If you have Java installed on your Mac — update now.

Yesterday, Dr. Web (a Russian based antivirus vendor) reported that Flashback may have infected over half-a-million Macs.

Each installation of Flashback creates a unique User-Agent. Dr. Web's Ivan Sorokin later estimated that their sinkhole now estimates over 600,000 infections.

Our Anti-Virus for Mac detects the latest Flashback variant as Trojan-Downloader:OSX/Flashback.K.

Here's some of our recent Flashback descriptions:

  •  Flashback.I
  •  Flashback.K

Our previous Mac related posts include instructions on how to disable Java, how to check for a Flashback infection, and manual removal:

  •  Mac Malware at the Moment
  •  Are you having a (Mac) Flashback?
  •  Mac Flashback Exploiting Unpatched Java Vulnerability

For those of you celebrating the Easter Holiday this weekend — if you're visiting your parents and they have a Mac — now is the time to update, disable, or remove their Java client plugin/installation!

(And that goes for Windows too.)

Updated to add: We have shipped a free Flashback removal tool.

Wednesday, April 4, 2012

Police Themed Ransomware Continues Posted by SecResearch @ 12:24 GMT

Over the last several weeks, we've been monitoring a rash of ransomware campaigns across Europe, in which messages, supposedly from the local police, are displayed demanding that a fine must be paid in order to unlock the computer. We wrote about a Finnish language variant last month. Attacks are still quite active according to our statistics.

Police warning

Even when somebody is savvy enough to recognize the message is a fake, the malware's accusations of offensive materials having been discovered on the user's hard drive creates a chilling effect, which has likely prevented some folks from seeking outside help.

Here's a screenshot we took earlier today using a recent variant:


To unlock their computer, the user is asked to purchase a Paysafecard from a local convenience store chain (in Finland, it's R-Kioski) in the amount of 100 euros. The technique is effective, as even non-technical people who might not be able to use online payment services such as Webmoney or eGold will be able to walk to the nearest store to part with their money.

In this particular case, the e-mail address shown in the screenshot does not belong to the attackers. The domain is valid and belongs to the US Department of Justice.

For this variant (SHA1: e6e330614c46939b144cff9bd627ba098dce9873), the easiest way to manually disable it is as follows:

1 – Press Ctrl-O (that's the letter O, not the number zero).
2 – Select "Browse", go to c:\windows\system32 and open cmd.exe.
3 – Type "explorer.exe" into the newly opened window. You should now be able to use the desktop again.
4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace "Administrator" with your user name in the path (unless you're already using the Administrator account, but lets not get started on that…).


5 – Delete any entries you don't recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
6 – Reboot the computer.

After this the threat is disabled but malicious files still remain on the computer. Scanning the computer with an antivirus product is highly recommended.

The steps may vary slightly depending on the variant. CERT-FI has published removal instructions for a different variant with slightly different steps, and Microsoft provides information in their description.

Updated to add on April 5th: Our description for Trojan:W32/Reveton includes removal instructions.


Security Response Post by — Antti and Karmina


Tuesday, April 3, 2012

A Mysterious Java Exploit Posted by ThreatInsight @ 10:27 GMT

Last week Kahu Security blogged about Escalating Java Attacks. Kahu's post dissects two Java exploits.

Kahu Security, Java Attacks

The first exploit targets CVE-2012-0507, the latest Java vulnerability that's been seen being exploited in the wild. This vulnerability was patched (for Windows) by Oracle in February 2012. I found the second exploit to be more interesting. It clearly appeared to be related to some Java CORBA vulnerability, possibly CVE-2012-0506, a Java vulnerability not yet known to be exploited in the wild. Last Friday I decided to take a closer look at this mysterious exploit.

First, I decompiled and analyzed the applet. However, I did not recognize anything in particular as there have not been any exploits or Proof-Of-Concepts made publicly available for CVE-2012-0506. So I decided to test the exploit with different versions of Java Runtime Environment to narrow down the list of potential vulnerabilities. I started by trying the latest version (JRE6 update 31) and, as expected; the exploit did not work because it was already patched. Then I tested with an older Java version (JRE6u25) just to make sure that the exploit would work in my test environment, and it did. I was a bit surprised when I tested JRE update 30 and the exploit did not work. This was a clear indication that the sample was not exploiting CVE-2012-0506 (as I was expecting) because JRE6u30 still had this vulnerability.

I continued testing different JREs and determined that JRE6 update 29 is the version that patches this mysterious vulnerability. The Update Release Notes link to an Oracle Java SE Critical Patch Update Advisory – October 2011 that lists all the vulnerabilities patched in the update. Based on my initial analysis it was clear that the sample exploits some deserialization problem and the only vulnerability in the Risk Matrix related to deserialization is CVE-2011-3521. The ZDI advisory reveals two interesting facts. Firstly, the vulnerability was discovered by fellow Finn Sami Koivu who recently joined Oracle. Secondly, the problem is in IIOP deserialization which is exactly the piece of CORBA code that the exploit calls. This confirms that the mysterious vulnerability is… CVE-2011-3521.

On Saturday, Contagiodump wrote about the same sample. Michael Schierl e-mailed Contagiodump and also commented on the original Kahu Security blog post that the vulnerability was most likely not CVE-2012-0506, but rather, CVE-2011-3521.

Kahu Security, Mihi

I can confirm that Michael is right. His article has more details about the vulnerability.

It is strongly recommended to update your Java client to the latest version, disable it when not needed, or better yet, remove it completely if you don't really need it.

Java versions can be determined from:

The SHA1 hash of the exploit that I analyzed is: 83a04bd183ecb9e2598da9b67417cd57bc9f14fa

F-Secure Anti-Virus detects the exploit as Exploit:Java/CVE-2011-3521.A.




Monday, April 2, 2012

Blackhole's Lesser Known Exploit Posted by ThreatInsight @ 14:07 GMT

Although Blackhole has been investigated and dissected multiple times, there are still some surprises that emerge. One thing we just discovered is an exploit for CVE-2011-0559, which is one of the two Flash exploits being used by Blackhole currently.

Flash code

Compared to other exploits, this one has been used by Blackhole for quite some time and yet… the coverage using different security products is very low.

VirusTotal results

With very low antivirus coverage, no Metasploit module, and PoCs being extremely difficult to find, this increases the chances of exploitation. Blackhole targets to exploit Adobe Flash 10.0 and earlier versions, 10.1, and 10.0.x (where x is later than 40). The vulnerability has been patched since March 2011. Detection has been added to F-Secure Anti-Virus as Exploit:W32/CVE-2011-0559.A.

Blackhole never ceases to surprise.


Threat Insight Post by — Karmina and Timo


Mac Flashback Exploiting Unpatched Java Vulnerability Posted by Brod @ 12:07 GMT

Note: We have shipped a free Flashback removal tool

A new Flashback variant (Mac malware) has been spotted exploiting CVE-2012-0507 (a Java vulnerability). We've been anticipating something like this for a while now.


Oracle released an update that patched this vulnerability back in February… for Windows.

But — Apple hasn't released the update for OS X (yet).

It appears that the Flashback gang is keeping up with the latest in exploit kit development. Last week, Brian Krebs reported that the CVE-2012-0507 exploit has been incorporated into the latest version of the Blackhole exploit kit. And that's not all. Though it is unconfirmed, there are rumors of yet another available exploit for an "as-yet unpatched critical flaw in Java" on sale.

So if you haven't already disabled your Java client, please do so before this thing really become an outbreak. Check out our previous post for instructions on how to disable Java on your Mac.

Our previous instructions on how to check whether you are infected with Flashback is still applicable. However, for this variant, there is an additional updater component that is created in the infected user's home folder. By default it is created as "~/.jupdate".

A corresponding property list file is also created so that it will execute every time the infected user logs in. By default, the property list is created as "~/Library/LaunchAgents/".



However, these filenames may be different in the actual infected system as they are configurable by the malicious webpage delivering the exploit:


Visit our Flashback.K description for more information.

MD5: 253CAE589867450B2730EF7517452A8B

Update: Apple has published a security update for Java. See: for details.


Sunday, April 1, 2012

Titanic APT Posted by ThreatResearch @ 09:00 GMT

Breaking News about the RMS Titanic based on information collected during the recent divings of director James Cameron.

Titanic APT

The new findings are based on artifacts lifted from the seafloor.

Here's an image from the bridge of the Titanic with a close-up of a mystery object.

Titanic APT

A similar object was found from the captain's cabin.

Titanic APT

Here's a close-up of the mystery object after it had been lifted to surface.

Titanic APT

The object contained a slide on one side. Although rusted, this slide was still operational.

Titanic APT

Here's an image with the slide extended. As you can see, the connector somewhat resembles a modern USB plug.

Titanic APT

F-Secure Forensics & Ping Pong Labs are currently analyzing the contents of the USB stick.

The USB drive likely contains a zero-day exploit that dropped PLC malware targeting the control units of the Titanic's steam engines.

We expect to have full details on this case soon, probably by the end of business on April 1st.

Thanks to: James Cameron, Cerrious Design and National Geographic.