NEWS FROM THE LAB - April 2015


Thursday, April 30, 2015

Video: Mikko's Stanford Seminar Posted by Sean @ 12:15 GMT

Mikko recently presented at Stanford University:

The seminar is available via YouTube.


Tuesday, April 28, 2015

Reply All #21 Hack the Police Posted by Sean @ 12:07 GMT

Banned from using "the Internet" in 2015? What's that like when you're surrounded by an Internet of Things?

Alex Goldman discovered the answer in episode #21 of Reply All:

Hack the Police

"When Higinio Ochoa got out of prison for hacking in September of 2014, one of the terms of his parole was that he is not allowed to use any internet connected device. We went to his home in Austin to find out how he got caught and what it's like – in 2015 – to go from living online to not having any internet access."


Friday, April 24, 2015

Freedome VPN For Mac OS X Posted by Sean @ 12:37 GMT

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.


Thursday, April 23, 2015

New Threat Report Posted by Sean @ 14:20 GMT

Our latest comprehensive threat report, based on our analysis of H2 2014 data, is now available.

H2 2014 Threat Report At A Glance

Get it and more from:


Wednesday, April 22, 2015

CozyDuke, TLP: White Posted by Sean @ 14:24 GMT


This whitepaper provides an overview of CozyDuke, a set of tools used by one or more malicious actors for performing targeted attacks against high profile organizations, such as governmental organizations and other entities that work closely with these institutions.

The CozyDuke toolset, which we believe has been under active development since at least 2011, consists of tools for infecting targeted hosts, establishing and maintaining backdoor access to the hosts, gathering information from them and gaining further access to other hosts inside the victim organization.

Based on command and control (C&C) server information found being used by CozyDuke tools, we believe the CozyDuke toolset is used by at least one malicious actor who also uses, or at the least shares infrastructure with actors using the known threats, MiniDuke and OnionDuke.

Download CozyDuke White Paper

Research by @lehtior2


Janicab Hides Behind Undocumented LNK Functionality Posted by FSLabs @ 11:12 GMT

Two years ago, we found a malware called Janicab. It targets both Mac and Windows OSes using Python and VBS scripts, respectively.

For Windows OS, this malware was delivered via a document that exploited CVE-2012-0158. In addition, we've also seen it delivered in a form of a Microsoft Shell Link (.lnk) file that drops an embedded encoded VBScript, sometime from 2013 until recently.

There are several tricks the dropper uses for obfuscating its purpose:

- Filename with double extension (Example: .jpg.lnk or .doc.lnk)
- Using the icon of notepad.exe (instead of the default, cmd.exe)
- Possibly sensitive data zeroed out, for example, machine identifier and relative path

But the most interesting part is the use of an undocumented method for hiding the command line argument string from Windows explorer. Typically, the target and its arguments are visible in Windows explorer as a single string in the shortcut properties, when the user right-clicks on the shortcut icon. However, the command line argument is not visible in this scenario.

1_Fotomama_screenshot (34k image)

Within the LNK, there is a hidden command line argument which consists of a series of shell commands glued together with an &-operator.

2_Fotomama_lnk (52k image)

Here's the list of the commands that essentially does the dropping and execution of the malicious VBE:

3_commands (34k image)

The malware script is encoded using the Microsoft Script Encoder, and is embedded at the end of the LNK file.

The script drops decoy files such as these upon execution:

4_mama (68k image)

5_doc (555k image)

Like the previous variants, Janicab still uses third-party web services such as Youtube for getting its C&C.

6_youtubecomments (30k image)

7_blogspot (8k image)

8_googleplus (14k image)

It used to be that the actual C&C IPs were shown in Youtube. But as seen above, the malware authors have attempted to obscure the C&C. The recent variant gathers the number in the comments using the format "our (.*)th psy anniversary".

The actual IP is obtained by dividing and converting the numbers found in the web services.

9_ipconv (54k image)

Another change found in this variant is the dropping of a copy of snapIt.exe in %UserProfile$\SystemFolder. This application is used by Janicab to capture screenshots and save them as ~PF214C.tmp.

It also now checks for signs of being run in virtual machines such as VirtualBox, Parallels and VMWare. As well as, checks if it's running in an analysis machine by looking at these running processes.

10_processes (77k image)

Here is the list of C&Cs we've seen so far for this variant:

With the following C&C communication formats:
[C&C]/Status2.php - Check C&C status
[C&C]/a.php?id=[SerialIDfromCnC]&v=[malware_version]&av=[InstalledAV] - Inform that cookies and decoy have been deleted
[C&C]/gid.php?action=add&cn=[ComputerName]&un=[UserName]&v=[malware_version]&av=[InstalledAV]&an=[notifyName] - Get Serial ID
[C&C]/rit.php?cn=[ComputerName]&un=[UserName]&an=[notifyName]&id=[SerialIDfromCnC]&r=[VMorRunningProcessName] - Inform running analysis process or sandbox environment
[C&C]/sm.php?data=[InstalledAV] - Obtain startup mechanism
[C&C]/c.php?id=[SerialIDfromCnC] - Get commands
[C&C]/rs.php - Send screenshot
[C&C]/rk.php - Send data
[C&C]/d.php?f=[Base64EncodedData] - Download file

The samples are detected as Trojan-Dropper:W32/Janicab.A.

SHA1 Hashes:

Post by — Jarkko and Karmina


Friday, April 17, 2015

Moving Around Posted by Sean @ 14:35 GMT

We're reorganizing numerous teams here at F-Secure Labs, and that means moving people around between the second and third floors in our Helsinki HQ.

Moving requires moving boxes and this is what the "Platforms" team did with them:

Great Wall of Sofa

Lab Dancing Inside

By the way — we're also expanding. There are several software engineering positions available on our APT team. No box building experience required.

Job openings


Friday, April 10, 2015

Video: Terrorist Groups in the Online World Posted by Sean @ 11:01 GMT

Given recent events, this presentation by Mikko about the possibility of terrorist groups doing online attacks seems timely.

YouTube: Terrorist Groups in the Online World

Protip: don't make yourself an easy target by broadcasting your passwords:

David Delos


Thursday, April 2, 2015

Remote Code Execution Possible Via Dell System Detect Posted by FSLabs @ 12:53 GMT

Journalist John Leyden recently contacted us for our opinion on vulnerability research by Tom Forbes. The focus of Forbes' research was Dell's "System Detect" utility and a flaw that allows for remote code execution. Forbes reported his findings last November and Dell mitigated the issue in January (and also again last week).

But a significant problem remains from our point of view.

Older versions of the software don't update themselves and there remains a lot of vulnerable computers out there. Over time, our customers have scanned various versions of System Detect many hundreds of thousands of times. It's very prevalent software. From just our customer base statistics within the last two weeks, we can see approximately 100,000 customers queried reputation checks on System Detect. Only about one percent of our customers are now running the latest version (6.0.14, represented by red in the chart below).

Dell System Detect, F-Secure customer install-base

Older versions of System Detect create a run key in the registry that starts the service automatically. So vulnerable versions run persistently even though it's only needed when visiting Dell's support site. The latest version — 6.0.14 — doesn't create a run key.

Exploiting older versions of System Detect is very easy. It only requires that the target visits a URL with some variation of "dell" in its domain. Exactly where in the URL varies depending on the version of the software.

We used Forbe's research and our own black-box testing to run three versions of System Detect, observing network traffic and replaying the same traffic with small modifications. We confirmed the older versions can be used to launch calc.exe from a targeted machine (i.e., Remote Code Execution).

Dell System Detect

For the version, the domain part of the referer-field's URL needs to contain "" but it accepts also "", so it's highly vulnerable.

Version 6.0.9 was released after Forbes reported the issue to Dell. It requires that the domain contains ".dell.". This means it also accepts "", so it's also just as vulnerable to a web-based attack.

The current version, 6.0.14, requires that the domain is "*" which more or less addresses the problem, especially when combined with the lack of autostart. If you need to have a version installed, it should be this one.

Older versions should definitely be uninstalled as soon as possible.

Here's an HTTPS enabled download link.

We are continuing to investigate further issues and actions that may be necessary to protect our customers.

Updated to add on April 30th:

The latest version of Dell System Detect, version, includes the following security updates.

1) Downloads installer and metadata over HTTPS.
2) Enforces file download on HTTPS.
3) Validates that the request scheme always begins with HTTP and not UNC path.
4) Validates certificate for errors.
5) Restricts incoming traffic to localhost only.

Source: Dell Support's Knowledge Base