NEWS FROM THE LAB - May 2012
 

 

Thursday, May 31, 2012

 
Is a new Zsone Under Development? #Android Posted by ThreatResearch @ 10:07 GMT

Android malware news: a year after Zsone's discovery, we've come across a new variant. Or at least a sample that causes us to ask, is a new variant under development? This new Zsone uses a native component for its SMS sending routine.

Here a code snippet from its binary component for sending SMS.

Zsone

However, its SMS interception routine for preventing the broadcasting of message that come from "10086" or "1066185829" is not implemented or part of the native library.

Zsone

The first variant, Trojan:Android/Zsone.A, has been known to exist on the official Android market.

Hopefully this new variant will not make it to Google Play. One wonders about the motivation of this development. We can see several possibilities of how the malware could utilize this new technique. Perhaps to defeat Google's Bouncer?

Our Mobile Security detects this as Trojan:Android/Zsone.C.

SHA1: a251bc753405d44f2902aca3f470006f77bf9e79

—————

Analysis by — Zimry

 
 

 
 
Wednesday, May 30, 2012

 
Flame-bait Questions Posted by Sean @ 16:43 GMT

There are many ongoing discussions about "Flame" right now — an espionage tool, information was disclosed about it on Monday.

There are plenty of questions from customers, and also from members of the press.

Mikko spoke with Clark Boyd of PRI's The World yesterday about the breaking news.

Symantec's Liam O Murchu spoke with Kai Ryssdal of Marketplace in a very "economical" conversation about Flame's functionality.

Some good questions have been asked. And plenty of hyperbole has been generated.

Here are some questions of our own.

  •  Am I protected from Flame?

That's the wrong question. You should be asking yourself this: am I at risk?

  •  Alright then, am I at risk from Flame?

Let's see, are you a systems administrator for a Middle Eastern government?

No? Then no… you aren't at risk.

The number of computers estimated to be infected with Flame is one thousand and there are more than one billion Windows computers in the world. You do the math. You're just as likely to win the lottery.

Additionally: Flame is not a worm. Its architecture includes wormable functionality but those functions are disabled by default. So Flame isn't spreading like a worm and therefore you won't be infected unless you've been specifically targeted.

And then there's the fact that Flame is now known to be in the wild. And so… it's been "turned off". Even Flame's targets are no longer at risk. The real power of an espionage tool is that it's a secret. Flame is no longer a secret and so it will therefore be abandoned. Operational security has been compromised.

  •  Okay, but still — in theory — am I protected?

We have detections for Flame and our current software blocks and prevents Flame from functioning based on our tests. If you have the most current version of your antivirus software and it's functioning properly with up to date databases, you should be good.

  •  So I'm safe?

Safe? Okay look… Flame is estimated to be at least two years old. That's old in terms of software code. And Flame is now a known quantity. You don't need to worry about it. Flame has been extinguished.

But…that isn't why you should find Flame interesting. The important thing about Flame is that it represents what else might be out there… the threats that are still unknown.

  •  So I'm not safe?

Go back and ask yourself the "Am I at risk?" question!

Commercial based antivirus and security products are designed for and focus on protecting you from prevalent classes of in the wild threats coming from criminals, thugs and digital mobsters (and it's a constant battle). It is not designed to protect you from the digital equivalent of Seal Team Six. So if you're the guy that finds himself in the crosshairs… you're not safe.

  •  How about the future? Will Flame's tech give cyber-criminals new tools to work with? Should I worry about that?

Two of our lab analysts literally laughed out loud when asked that question. Flame is big. It's complex (just as lots of legitimate software are complex). But it's not advanced crimeware. It's different. Data stealing crimeware is interested in the quickest, most efficient way to steal what it needs. And it evolves quickly. You might call that: advanced evolution.

Flame on the other hand is a "limited edition" spy tool with a limited scope that was used very carefully. It didn't need to evolve. Clearly there was advanced planning involved, but that doesn't necessarily make it what we would call advanced technology.

  •  What was Flame designed for?

Information gathering. And not just data from the computer, but also conversations and chats, contacts — intelligence.

  •  Who made Flame?

Well, it isn't designed for profit. It is too big and "complex" to have been designed by "hackers". So that leaves us with a nation state.

  •  Wait. What? Nation states spy?

Yeah. We know… shocking but true. #sarcasm

Nation states spy — when have they not? It shouldn't be surprising to anybody that they use digital espionage tools these days.

  •  What nation made Flame?

It's evident that significant resources went into crafting Flame. Given that, we think a better question is what defense contractor developed Flame.

  •  Defense contractor?

Yes. The way in which Flame is structured suggests to us that it was written by a contractor — an organization that is being paid.

  •  Defense contractors develop stuff like Flame?

Have a look for yourself. Here's something that Mikko recently tweeted about.



Here's the job posting for a Cyber Software Engineer:

Northrop Grumman, Cyber Software Engineer

"This exciting and fast paced Research and Development project will plan, execute, and assess an Offensive Cyberspace Operation (OCO) mission."

The Preferred Qualifications:

Northrop Grumman, Cyber Software Engineer, Preferred Qualifications

Hmm, SQL databases. Flame uses SQL databases… but no mention of the programming language Lua. Still, looks to us like defense contractors have a particular way of working with this kind of stuff.

And it's not just Northrop Grumman. Lots of defense contractors have positions for this type of project. You know, other companies such as Lockheed Martin and Raytheon.

  •  Wait, Northrop Grumman, Lockheed Martin and Raytheon? Haven't I read something "hacker" related to those (and other) companies recently?

Oh yes! That's right. The RSA Hack. Yes, defense contractors were among the many companies targeted as a consequence of the hack on RSA.

  •  What do you suppose the (allegedly Chinese) hackers took from them?

  •  Could China have Flame too?

  •  Am I "safe"?

Umm, upon reflection, perhaps there's no one good answer for that.

It's complicated. (Get used to it.)

—————

P.S. Does anybody else find it disturbing that Northrop Grumman's preferred qualifications include knowledge of "security research" tools such as Metasploit, World Wind, and Google Earth?
 
 

 
 
Monday, May 28, 2012

 
Case Flame Posted by Mikko @ 18:14 GMT

Flame (aka Flame aka Skywiper) is a massive, complex piece of malware, used for information gathering and espionage.

The malware is most likely created by a Western intelligence agency or military. It has infected computers in Iran, Lebanon, Syria, Sudan and elsewhere.

Flame

There seems to be a clear difference in how online espionage is done from China and how it's done from the West. Chinese actors prefer attacks targeted via spoofed e-mails with booby-trapped documents attached. Western actors seem to avoid e-mail and instead use USB sticks or targeted break-ins to gain access.

Flame

The worst part of Flame? It has been spreading for years.

Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed. All of these cases were spreading undetected for extended periods of time.

More information from:

  •  Budapest University of Technology and Economics's Laboratory of Cryptography and System Security (CrySyS)
  •  Securelist (Kaspersky)
  •  Iran National CERT (MAHER)







 
 

 
 
Targeted Attack: London 2012 Olympics Posted by Sean @ 11:26 GMT

We've come across a malicious Olympic themed PDF earlier this morning while data mining our back end for documents which drop executables (those are never a good thing, unsurprisingly).

The PDF exploits CVE-2010-2883, which affects older versions of Adobe Reader and Acrobat. A typical PDF exploit will launch a clean decoy as part of its attack, and in this case, the decoy is a copy of the London 2012 Olympic schedule circa October 2010. The original source PDF can still be found online at: london2012.com.

London 2012 Olympics Games daily competition schedule
Click image to view a larger version.

The exploit attempts to make a network connection with a site registered to "student travel" in Baotoushi, China.

news.studenttrail.com

Takeaways: first, be wary of Olympic (and any other current event) themed e-mails that have attachments and/or links. Second, if you don't already have the current version of Adobe Reader, you really should go get it now.

SHA1: 205d3df97ecafeceac5219a0ba7f5236da2caa49

 
 

 
 
Thursday, May 24, 2012

 
Zeitgeist 2012: Mikko Q&A Posted by Sean @ 16:03 GMT

Mikko took part in Google's Zeitgeist 2012 earlier this week in London.



Wired magazine editor David Rowan's Q&A: Beyond Today – Mikko Hypponen.







 
 

 
 
AusCERT Presentation: The Enemy Posted by Sean @ 15:56 GMT

Mikko was a featured speaker last week at AusCERT2012.

You can listen to (or download) audio of his presentation from Risky Business.

And then once you have the audio, you can view Mikko's slides via SlideShare.


 
 

 
 
Monday, May 21, 2012

 
ZeuS Ransomware Feature: win_unlock Posted by ThreatResearch @ 11:53 GMT

Earlier today, while doing our daily data mining, we came across a new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock. Very interesting, turns out this slightly modified ZeuS 2.x includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry.

ZeuS, ransom feature

Unlocking can therefore be performed quite easily with a registry editor:

  1. boot the system in safe mode
  2. add a new key named syscheck under HKEY_CURRENT_USER
  3. create a new DWORD value under the syscheck key
  4. set the name of the new DWORD value to Checked
  5. set the data for the Checked value to 1
  6. reboot

SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119

Analysis by — Mikko S. and Marko

 
 

 
 
Friday, May 18, 2012

 
Video: Angry Birds Space Trojan & Drive-by Android Posted by Sean @ 14:19 GMT

On Monday, we released our Mobile Threat Report for Q1, and in that report we mention there's a growing number of mobile trojans that "deliver on their promises". What do we mean by that?

Well, in the past, mobile malware often offered something such as "free" mobile web services as bait, but then, during installation, the trojan would display some kind of decoy error message.

At that point the folks installing the trojan would typically search for answers, either because they were suspicious or because they were troubleshooting. That would then lead to actual answers on forums that what they had in fact installed was a trojan. These days, when even non-nerds have smartphones, the bait is quite a bit different.

No decoy messages. The "bait" actually works.

Here's a video of trojan installing a working copy of Rovio's Angry Birds Space as it compromises the phone.



Video: Trojanized Angry Birds Space.

So, nothing to troubleshoot… and how many non-nerds do you think will find getting what they were promised to be suspicious? It's quite possible that somebody could compromise their phone and they'll never come to realize it.

Android malware is definitely evolving.

Here's a short preview of something which developed during Q2: drive-by Android malware.



Video: Drive-by Android Malware.

 
 

 
 
Wednesday, May 16, 2012

 
Repost: Webinar: Making Life Difficult for Malware Posted by Sean @ 12:59 GMT

Jarno Niemela, a Senior Researcher here at F-Secure Labs, will be taking part in a Black Hat Webcast on Thursday, May 17, 2012.

The subject is "Making Life Difficult for Malware" and will focus on system modifications that can be used to prevent malware from functioning properly in the event that your system is compromised.

https://www2.gotomeeting.com/register/332978794

More information can be found from the webinar's registration page.

Over 1,000 people have registered thus far!

 
 

 
 
Tuesday, May 15, 2012

 
Recommended Listening: Danger In The Download Posted by Sean @ 13:01 GMT

The Documentary, a BBC World Service program (or programme) recently aired a 3-part series called Danger In The Download.

It's definitely worth a listen. All of the episodes are now available online.

The Documentary: Danger In The Download

Episode 1 — The growing threats in cyberspace from hackers and cyber weapons.
Episode 2 — Is the net's architecture and governance is still fit for purpose?
Episode 3 — What governments can do to protect the Internet.

If you prefer your audio in the form of a podcast, we also recommend PRI's The World: Technology Podcast which is also offering Episode 1 for download.

 
 

 
 
Monday, May 14, 2012

 
Download: Mobile Threat Report, Q1 2012 Posted by Sean @ 15:49 GMT

It's time to publicly release our latest Mobile Threat Report, covering the 1st quarter of 2012.

Our Q4 2011 report was quite popular and this new one for Q1 is even better. More content (and pages) for your reading pleasure.

Mobile Threat Report, Q1 2012

Mobile Threats Motivated by Profit Per Quarter:

Mobile Threat Report, Q1 2012

You can download it here: Mobile Threat Report, Q1 2012 [PDF]

 
 

 
 
Thursday, May 10, 2012

 
What's wrong with marketing software? Posted by Sean @ 13:02 GMT

Yesterday, I suggested that nonymous speech is vastly superior to anonymous DDoS attacks and other forms of censorship.

Today, I offer this "anti-piracy" PSA (circa 1988) as evidence to support my thesis:

What's wrong with marketing software?
Click to embiggen.

It's stuff like this that made me happy to buy Infocom's games. They asked nicely, and made their points with tongue-in-cheek humor. I still remember this joke 24 years later. DDoS attacks? They fade from memory quickly.

Internet activists (as well as today's media industry) would do well to learn from the past.

 
 

 
 
Wednesday, May 9, 2012

 
Pirate Bay to Anonymous: Call Your Mom! Posted by Sean @ 17:13 GMT

UK Courts recently ordered Internet Service Providers to block access to The Pirate Bay. Yesterday, Virgin Media was attacked by some that claim associations to the Anonymous collective.

Well, The Pirate Bay had something to say about the attack on its Facebook page.

Seems like some random Anonymous groups have run a DDOS campaign against Virgin media and some other sites. We'd like to be clear about our view on this: We do NOT encourage these actions. We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us. So don't fight them using their ugly methods. DDOS and blocks are both forms of censorship. If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol, print some pro piracy posters and decorate your town with, support our promo bay artists or just be a nice person and give your mom a call to tell her you love her.

TPB: We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us.

My take: Love thy enemy.

TPB: So don't fight them using their ugly methods. DDOS and blocks are both forms of censorship.

My take: Two wrongs don't make a right.

TPB: If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol…

My take: Don't be destructive. Better to be "subversive".

TPB: …print some pro piracy posters and decorate your town with, support our promo bay artists or just be a nice person and give your mom a call to tell her you love her.

My take: Call your mother. She worries about you.

Now some Anons out there may push back at The Pirate Bay's claim that DDoS equals censorship. There are numerous Anons that have claimed DDoS attacks are a form of digital protest similar to a sit-in. But consider this: a sit-in is a form of trespass, and trespass and preventing access to others is a crime.

A crime for which the world's greatest human rights leaders have been arrested. But that's the whole point. Civil disobedience is about non-violent resistance — breaking the rules and yet showing respect to the framework in order to change the rules. DDoS is not a non-violent protest. And the attempted lack of accountability is not respecting your fellow members of society.

Anon protip: there's a very good reason why Letter from Birmingham Jail by Martin Luther King, Jr. is (and always will be) infinitely more powerful than would be "YouTube video by Anon-MLK #OpBirmingham".

Kudos to the Pirate Bay crew for so clearly understanding this truth.

Regards,
Sean

 
 

 
 
Tuesday, May 8, 2012

 
Java Drive-by Generator Posted by Karmina @ 15:27 GMT

Ran across quite an interesting infection today. I visited a site that prompted me with a security warning about a "Microsoft" application from an unknown publisher. The site is actually pretending to be a Gmail Attachment Viewer. Microsoft+Gmail? Fail.

Google attachment

After allowing the application to run, it redirects to a Cisco Foundation invitation while downloading a malware binary in the background.

Cisco invite

The message also contains a malicious link that downloads the same malware. Perhaps to make sure that you really get infected.

Anyway, this infection is generated using iJava Drive-by Generator, which apparently has been around for a while now.

The generator allows the attacker to use random names or specify their own preference for both the Java file and the dropped Windows binary.

iJava main

iJava also keeps track of infections. Below is the data from the infection mentioned above:

iJava 2ndp

Which shows that for this particular malware, the infection only started yesterday. So far there's only 83 visits to the Java drive-by link.

And thankfully, he's not very successful (knock on wood):

iJava stats

Updated to add: The number of visits has now increased to 122 with a 26% success rate. Since it's counting the number of visits, if a specific IP accessed the page twice it then counts it as two. The total unique IPs so far is 77 with 30% success rate.

Kaspersky's Kurt Baumgartner has pointed out that this rate can actually be considered pretty high for such kits.







 
 

 
 
Webinar: Making Life Difficult for Malware Posted by Sean @ 13:01 GMT

Jarno Niemela, a Senior Researcher here at F-Secure Labs, will be taking part in a Black Hat Webcast on Thursday, May 17, 2012.

The subject is "Making Life Difficult for Malware" and will focus on system modifications that can be used to prevent malware from functioning properly in the event that your system is compromised.

https://www2.gotomeeting.com/register/332978794

More information can be found from the webinar's registration page.

 
 

 
 
Friday, May 4, 2012

 
Terrorist Groups in the Online World Posted by Sean @ 12:40 GMT

The Combating Terrorism Center at West Point (USA) has released a study called "Letters from Abbottabad: Bin Ladin Sidelined?". The study provides analysis of 17 declassified documents captured last year during the raid which killed Usama bin Ladin. Copies of the documents in the original Arabic as well as English translations have been made available.

PRI's The World has an excellent summary: US Releases Letters From Bin Laden Compound.

Our Chief Research Officer, Mikko Hypponen, has been studying online extremism. He examined the documents and found this:




A reference to "jihadist websites", which can be found in document SOCOM-2012-0000019:

SOCOM-2012-0000019

Mikko recently spoke about online jihadists at RSA Conference 2012.


You can watch the presentation here: Terrorist Groups in the Online World
 
 

 
 
Thursday, May 3, 2012

 
Yet Another SQL Injection Attack Posted by Karmina @ 16:31 GMT

Somehow these SQL Injections targeting ASP/ASP.net sites just never seem to abate.

First there was Lizamoon… surprising us with the millions of websites that got injected.

Then came a few others with the recent ones being nikjju.com and hgbyju.com.

Now came njukol…

google_results (256k image)

Although the name is no longer as catchy as Lizamoon, the idea remains the same.

This njukol.com is still pretty fresh out of the oven. The domain was registered last April 28. The funny thing is, the registrant of the domain is still the same with all those previous ones.

registrant (6k image)







 
 

 
 
Targeted Attacks in Syria Posted by Mikko @ 12:19 GMT

Syria has been the center of much international attention lately. There's unrest in the country and the authoritarian government is using brutal tactics against dissidents. These tactics include using technology surveillance, trojans and backdoors.

Some time ago we received a hard drive via a contact. The drive had an image of the system of a Syrian activist who had been targeted by the local authorities.

Syria

The activist's system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat.

Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called "Xtreme RAT".

Xtreme Rat is a full-blown malicious Remote Access Tool.

Sold for 100 euro (Paypal) via a page hosted at Google Sites: https://sites.google.com/site/nxtremerat

Xtremerat

We have reasons to believe this infection wasn't just bad luck. We believe the activist's computer was specifically targeted. In any case, the backdoor calls home to the IP address 216.6.0.28. This IP block belongs to Syrian Arab Republic — STE (syrian Telecommunications Establishment).

This would not have been the first case of using trojans for such purposes in Syria, either.

See these references for similar cases in the past:

http://cnn.com/2012-02-17/tech/tech_web_computer-virus-syria_1_opposition-activists-computer-viruses-syrian-town

http://blogs.norman.com/2012/security-research/the-syrian-spyware

http://resources.infosecinstitute.com/darkcomet-analysis-syria/
(includes an interview with the author of another RAT used in similar attack)

SHA-1 hashes of the samples in question:

  •  2c938f4e85d53aa23e9af39085d1199e138618b6
  •  a07209729e6f93e80fb116f18f746aad4b7400c5

 
 

 
 
Wednesday, May 2, 2012

 
Oxford Muses on Mac Flashback: Worst Outbreak Since Blaster Posted by Sean @ 14:25 GMT

So how bad was last month's Mac Flashback outbreak and who suffered the most? Our guess: it was bad, and university IT help desks. And it looks like our guess might not be far off the mark.

Oxford University Computing Services' network security team (aka OxCERT) has written that they dealt "with what is probably the biggest outbreak since Blaster struck the Windows world all the way back in the summer of 2003."

OxCERT dealt with around 1000 incidents for Blaster. They've seen several hundred Flashback incidents… "and they keep on coming."



Other institutions, such as The University of Manchester, have detailed that the large number of infections exist mainly within halls of residence.



Do you work for a college or university IT help desk? Have you experienced a significant uptick in mac malware cases? We're interested in your comments (and stats).

Cheers!