NEWS FROM THE LAB - April 2013


Tuesday, April 30, 2013

Facebook is Testing Tags For "What" Posted by Sean @ 12:06 GMT

Facebook has gradually added different tags to its "Status" updates.

Currently, most users have the ability to tag: who, when and where.

Facebook, What tags

Those options could soon include: what. (Roll out is limited at the moment.)

Facebook, What tags

And not just what you are doing — but what you're feeling.

Facebook, What tags

As long as everybody you're friends with gets the joke…

Facebook, What tags

…you should be safe.

Facebook, What tags

But let's say your boss mistakes "a pan galactic gargle blaster" for a real drink and reprimands you for drinking alcohol on the job.

That could leave you feeling quite annoyed.

Facebook, What tags

How do I share my feelings or what I'm doing in a status update?



The Fog of Cyber Defence Posted by Mikko @ 06:53 GMT

The Fog of Cyber Defence

The Finnish National Defence University has published a 250-page book called The Fog of Cyber Defence. The book discusses cyber warfare, cyber arms race, and cyber defense from a Nordic viewpoint.

The book was written by twenty authors:

Insights into Cyberspace, Cyber Security, and Cyberwar in the Nordic Countries - (Jari Rantapelkonen & Harry Kantola)
Sovereignty in the Cyber Domain - (Topi Tuukkanen)
Cyberspace, the Role of State, and Goal of Digital Finland - (Jari Rantapelkonen & Saara Jantunen)
Exercising Power in Social Media - (Margarita Jaitner)
Victory in Exceptional War: The Estonian Main Narrative of the Cyber Attacks in 2007 - (Kari Alenius)
The Origins and the Future of Cyber Security in the Finnish Defence Forces - (Anssi Kärkkäinen)
Norwegian Cyber Security: How to Build a Resilient Cyber Society in a Small Nation - (Kristin Hemmer Mørkestøl)
Cyber Security in Sweden from the Past to the Future - (Roland Heickerö)
A Rugged Nation - (Simo Huopio)
Contaminated Rather than Classified: CIS Design Principles to Support Cyber Incident Response Collaboration - (Erka Koivunen)
Cyberwar: Another Revolution in Military Affairs? - (Tero Palokangas)
What Can We Say About Cyberwar Based on Cybernetics? - (Sakari Ahvenainen)
The Emperor's Digital Clothes: Cyberwar and the Application of Classical Theories of War - (Jan Hanska)
Theoretical Offensive Cyber Militia Models - (Rain Ottis)
Offensive Cyber Capabilities are Needed Because of Deterrence - (Jarno Limnéll)
Threats Concerning the Usability of Satellite Communications in Cyberwarfare Environment - (Jouko Vankka & Tapio Saarelainen)
The Care and Maintenance of Cyberweapons - (Timo Kiravuo & Mikko Särelä)
The Exploit Marketplace - (Mikko Hyppönen)

The Fog of Cyber Defence can be downloaded as a PDF file from


Thursday, April 25, 2013

Another Document Targeting Uyghur Mac Users Posted by Brod @ 13:39 GMT

We spotted a new variant of the documents used in the cyber attacks against Uyghur back in February.

This variant was first submitted to VirusTotal on April 11 from China. This time it uses IUHRDF, which may be a reference to International Uyghur Human Rights & Democracy Foundation, instead of Captain as the author:

Properties of poadasjkdasuodrr.doc

The payload is still the same besides using different filenames and command and control server.

It uses "" as the command and control server:

Command and control server name

It creates the following copy of itself and launch point:

~/Library/Application Support/.realPlayerUpdate

Or it may create the following instead (when executed with 2 parameters):

/Library/Application Support/.realPlayerUpdate

It remains pretty much the same malware and is generically detected as Backdoor:OSX/CallMe.A since February.

MD5: ee84c5d626bf8450782f24fd7d2f3ae6 - poadasjkdasuodrr.doc
MD5: 544539ea546e88ff462814ba96afef1a - .realPlayerUpdate


Wednesday, April 24, 2013

Apple's Root Certs Include the DoD Posted by Sean @ 18:39 GMT

Fun Fact!

Among the trusted root certificates used by Mac OS X, iOS 5 and iOS 6

…are two from the United States Department of Defense (DoD).

Interesting, no?


Tuesday, April 23, 2013

CVE-2013-2423 Java Vulnerability Exploit ITW Posted by SecResponse @ 14:36 GMT

A few days after Oracle released its critical patch for Java, and CVE-2013-2423 is already being exploited. Upon checking the history, the exploitation seems to have begun on April 21st and is still actively happening (as of this post):

url_list (122k image)

For a closer look, the image below contains a comparison of the classes found in the Metasploit module and that of the ITW sample:

Metasploit (95k image)

Interestingly, the Metasploit module was published on the 20th, and as mentioned earlier, the exploit was seen in the wild the day after.

Information about the PoC can be found here.

Files are detected as Exploit:Java/Majava.B.

Sample hashes:

Post by — Karmina and @Timo


Infosec's Hall of Fame 2013 Posted by Sean @ 12:42 GMT

Infosecurity Europe 2013 opened its doors today. And tomorrow…

Our own Mikko Hypponen will be inducted into Infosec's Hall of Fame.

Infosecurity Europe's Hall of Fame 2013

Congratulations Mikko!

Session details here.


Monday, April 22, 2013

Wired on Cyberwar. In 1996. Posted by Mikko @ 13:55 GMT

WiredI heard Wired Magazine is turning 20.


As I used to subscribe to the magazine around '93-'96, I went looking for my old copies, and I did find a stack. One of the weirdest things about these old magazines was that while they were speaking about the net from cover to cover, they did not have a single URL or a web address. Because the web didn't really exist in 1993.

I found this one cover from August 1996 especially striking. Somewhere below the mugshots of John Romero (@romero) and John Carmack (@ID_AA_Carmack) is the text "Ready for Cyberwar". Cyberwar? In 1996? I had to look up the article.

Turns out, the article in question is an interview with Winn Schwartau. I'll take the liberty of quoting the most interesting part of the article — which was well ahead of it's time — below.

Thanks, Wired.
Mikko Hypponen

Cyberwar 1996


Monday, April 15, 2013

Toomas Hendrik Ilves on Cybersecurity Posted by Sean @ 08:15 GMT

Published last Thursday — Cybersecurity: A View From the Front — a New York Times Op-Ed by Estonian President Toomas Hendrik Ilves, is highly recommended reading.

Cybersecurity: A View From the Front

Hat tip to @JarnoLim


Wednesday, April 10, 2013

South Korea, Starbucks, and Android/Smsilence Posted by Sean @ 22:34 GMT

Several weeks ago, an McAfee researcher named Michael Zhang analyzed an Android trojan which specifically targets South Korean phones. It's called Smsilence, and it uses bait such as "Starbucks coupon" apps (ex: starbug.apk).

Here's the phone number check looking for country code +82:


A detail not included in Zhang's post: the URLs / IP addresses to which SMS are forwarded are associated with Hong Kong.

And given the current political tensions in the region… a trojan which very specifically targets South Korean phones and then forwards information to China seems… worrisome.

SHA1: 04d58cbe352ba98d50510b661091bac5852fe7f4


Monday, April 8, 2013

Android Malware: Breaking New Ground and Old Taboos Posted by Sean @ 16:35 GMT

Last Thursday's post links to "Stels" analysis by Dell SecureWorks. (Read it!) Stels is a versatile Android trojan which has recently started spreading via the Cutwail spam botnet.

Android malware being distributed by a mass-market crimeware gang — could be a game changer.

So, how did Stels spread before Cutwail?

Here's a few slightly older Stels variants and the dates we first saw them, all distributed (at least) via a web portal called

  •  efb387ae109f6c04474a993884fe389e88be386f — Dec 5th
  •  8b99a836572231ffdcb111628fc1dcfb5d9ee31d — Dec 7th
  •  109b2adde84bb7a4ebf59d518863254e9f01c489 — Dec 10th
  •  9384480d82326e89ce52dd3582cf0d6869d59944 — Dec 13th
  •  8abc7ee0071ac32188c3262cf4ff76cc6436b48f — Jan 3rd

We detect numerous versions of Stels as Trojan:Android/SmsSpy.K. And this screenshot from our Malware Sample Management System (MSMS) gives a very good idea of the social engineering involved:


Games, utilities, and other "freeware" applications targeting Russians.

Targeting Russians… that's actually unusual in the world of Windows malware.

Conficker.A, for example, checks what keyboard layout is currently being used on the system with the GetKeyboardLayout Windows API and does not infect the system if the layout is Ukrainian.

A more recent example is Citadel (banking trojan), which does not run on machines that have either Russian or Ukrainian keyboards among the available input languages, checked with GetKeyboardLayoutList API.

From Citadel's machine(?) translated "readme" (


Important Note:
Our software does not work on Russian systems, if found Russian or Ukrainian keyboard layout – the software allows failure. This introduction is done in order to combat the CIS downloads. Treat it as you want, for us it is a taboo.


Here's what happens with an old version of Citadel when it encounters a Ukrainian keyboard layout.


Current versions of Citadel silently quit without the crash error.

Thus far, Russian authored Android malware has needed to target fellow Russians due to the billing schemes related to SMS fraud. (Premium numbers only work within their country of origin.)

Now that Android malware has expanded into a more "traditional" distribution channel — is it only a matter of time before we discover an Android trojan that reestablishes old taboos and refuses to infect Android devices using Russian as its display language?


Friday, April 5, 2013

Trojan:Android/Pincer.A Posted by Sean @ 18:31 GMT

Protip: don't install an Android application package file if it's named "Certificate.apk".

It's not legit (obviously).

Trojan:Android/Pincer.A is able to forward SMS messages and perform other actions based on commands it receives from its C&C. When installed, it will appear in the application menu as "Certificate" and will display related bogus messages when run.

Certificate PIN Code

Previous malicious mobile applications pretending to be certificates have been mobile components of banking trojans aimed at defeating two-factor authentication. The fact Pincer is able to forward SMS messages means it can certainly also be used as such.

The commands Pincer waits for are:

  •  start_sms_forwarding
  •  start_call_blocking
  •  stop_sms_forwarding
  •  stop_call_blocking
  •  send_sms
  •  execute_ussd
  •  simple_execute_ussd
  •  stop_program
  •  show_message
  •  delay_change
  •  ping

The show_message command enables interesting interactivity as it displays a message to the victim, the message content comes from the C&C at the same time as the command itself is delivered.

The call-home destinations for the trojan are and +4479372xxxxx.

The IMEI of the phone is used as an identifier by the C&C server. Other information sent there includes phone number, device serial number, phone model, carrier, and OS version.

Of note: Pincer checks to see if it's being run in an emulator by checking the IMEI, phone number, operator, and phone model. (A common "anti-analysis" technique used by Windows malware.)

SHA1: 2157fd7254210ef2e8b09493d0e1be3b70d6ce69

Additional similar samples:

  •  9416551d3965d3918eef3788b0377963d7b77032
  •  1ebfc6f1f3e15773f23083c9d8d54771e28f5680

And on a final note…

The trojan includes a class called USSDDumbExtendedNetworkService. The URI_AUTHORITY variable is set to [redacted].com — and the redacted word is either associated with a French Canadian concrete company or else it may be the Twitter handle of a young Russian whose Google+ page lists employment as "Android developer".

We don't have any "concrete" evidence… but we're pretty sure Pincer doesn't have anything to do with Canada.


Technical analysis by — Mikko Suominen


Updated to add:

Here's two more Pincer samples discovered from data mining:

This one is essentially the same as previous three, but has a different C&C URL ( and certificate. It was first seen in VirusTotal a week earlier than the first of the previously discovered samples.

  •  ec14ed31a85f37fad7c7d9c8c0d2aad3a60c8b36

This is a more interesting sample, clearly an earlier variant (submitted on March 19th to VirusTotal). This version doesn't pretend to be certificate. Instead it calls itself "Mobile Security".

Mobile Security

  •  60e1cd1191e0553f8d02289b96804e4ab48953b3

The sample crashed on start, but based on static analysis, it would display the message "Mobile Security System is active now. You are protected." The icon is the same as in other variants. The name of the package is also different. The other samples use or, this one is com.[redacted].diverter.


Yeah… that's a feature you don't want in your "mobile security".


Thursday, April 4, 2013

Cutwail Spam Botnet Targeting Android Users Posted by Sean @ 13:00 GMT

Brett Stone-Gross of Dell SecureWorks has excellent analysis of Android malware being distributed via the Cutwail spam botnet.

Dell SecureWork's Stels Android Trojan Malware Analysis

Here's the conclusion:

Dell SecureWork's Stels Android Trojan Malware Analysis

"The distribution of the Stels trojan through a spam campaign is unusual for Android malware".

That's a bit of an understatement.

Stone-Gross's analysis is significant evidence of Android malware's evolution into mass-market crimeware.


Hat tip to @iblametom


Wednesday, April 3, 2013

OS MAX:Flashback Posted by Sean @ 11:36 GMT

One year ago, Apple released a software update to combat Mac malware called Flashback.

And the question has been: who wrote the Flashback OS X worm?

Today, investigative security blogger extraordinaire Brian Krebs, has an answer: Maxim Selihanovich of Saransk, Mordovia.

Krebs on Security, Who Wrote the Flashback OS X Worm?

Read the full story at… Krebs on Security

Here's a screenshot of the "keenly detailed research paper" referenced by Krebs:

Flashback OS X Malware

Broderick's paper [PDF] and slides [PDF] are available for download. The paper was originally published at VB2012.

Updated to add: We asked the good folks at Virus Bulletin if they ever made conference videos public. And now they do.

Here's Broderick's VB2012 presentation courtesy of VB's brand new YouTube channel:

Thank you, Martijn!


Facebook Claims it's a "Bug" Posted by Sean @ 09:32 GMT

Yesterday's post noted the disappearance of Facebook's option to clear searches.

Late last night, I spoke with Zach Miners, of IDG News Service. He investigated the situation and was told by Facebook:

"Its disappearance was caused by a bug and was not intentional."

Zach Miners, IDG News

A bug?

Really. What a complete load of bollocks. When your company motto is "Move Fast and Break Things", I'm rather more inclined to believe it's a case of oversight, human error, and/or incompetence.

Or perhaps "bug" is Facebook lingo for "oops, my bad"?

Seriously Facebook… STOP MOVING SO FAST!

When it comes to security and privacy controls: done is — NOT — better than perfect.



Tuesday, April 2, 2013

Facebook removes a privacy control, surprised? Posted by Sean @ 15:30 GMT

On March 27th, Joey Tyson, a privacy and security engineer at Facebook, asked:


In general, I think many people tend to trust Google more than Facebook. Any thoughts from my followers on why that might be?

Tyson, a.k.a. Social Hacking, is a privacy advocate, and was long before he began working for Facebook.

He's asking an important question. Why do people trust Google more than Facebook?

Well here's an example of why…

Recently, I tested Graph Search. And at the time, I pointed out the "Clear Searches" option in Facebook's settings, which can be used to purge one's search history. Or at least it could.

Facebook Settings, Clear Searches

Late last week… poof! The option disappeared from Facebook's settings.

Facebook Settings, No Clear Searches

And it's gone. Just like that. Like it never existed.

And what showed up (temporarily) over the weekend?


Facebook Gifts

I've been waiting for something like this to pop up ever since I noticed "Gifts" returned to Facebook's settings:

Facebook Settings, Gifts

Why, if I didn't know any better… I'd suspect Facebook's Graph Search was not designed to help me locate things of interest, but rather, to generate interactions which can be used to profile me. And then that consumer analysis can used to prompt my friends and family to buy me gifts?

Seriously, why should anybody "trust" Facebook?

I didn't sign up to have my searches, and other data, used to recommend things. (That's Amazon's job.)

Both Amazon and Google provide an option to pause/suspend/purge search history.

I expect no less from Facebook.

Whatever else its faults, at least Google never seems to just up and delete a component of its privacy dashboard. And when Google rolls out a new service, it doesn't just come and go seemingly on a whim.

Facebook privacy controls: here today and gone tomorrow. — And that's no way to build trust.


Updated: Facebook — the company whose motto is "Move Fast and Break Things" — blames a bug for the disappearance.