Monday, July 25, 2011

F-Secure / Bellsouth Phishing Posted by Mikko @ 14:06 GMT

We were tipped by an alert user (thanks Walt) about this phishing scam targeting F-Secure and Bellsouth.

The fake e-mail used in the attack looks like this:

Ronnieandhattie: Dear Bellsouth Account User,<br /><br />Your e-mail needs to be updated with our released F-Secure <br />Internet Security 2011 new version of a better resource <br />webmail spam and viruses. If you have not upgraded your <br />account, click reply and fill in the columns below to send it <br />back so we can update our database account immediately.<br /><br />Failure to update will process your Bellsouth account <br />being temporarily blocked or suspended from our network and <br />may not be able to receive or send e-mail due to the update.<br /><br />Fill the column below:<br /><br />USERNAME:<br />PASSWORD:<br />Phone:<br /><br />We apologize for the inconvenience, we are here to make it <br />look better webmail in 2011.<br /><br />Bellsouth Customer Care!<br />Case Number: 7650087 Property<br />Account Security<br />©2011 Bellsouth All Right Reserved.

Please disregard such obvious phishing emails and delete them. Similar attacks have been targeting other operators and other antivirus companies as well.


Wednesday, July 20, 2011

TED Talk Posted by Mikko @ 10:38 GMT

So, I did a TED Talk on Defending The Net in TEDGlobal last week.

TEDGlobal 2011 Mikko Hypponen

Attending TED was amazing.

Speaking at TED was nerve-wrecking… especially as I had several risky live demos in my 18-minute talk. However, all went well.

I'm happy to report the talk is out now on TED.COM. An HD version of the talk is available as MP4 here.

TEDGlobal 2011 Mikko Hypponen

If you like the talk, please pass it on. I think watching this short talk would be especially useful to people who don't know much about online risks.

Furthermore, there's a veeery long discussion thread on my talk in Reddit, and I'm answering questions on what goes into building a talk like this.

TEDGlobal 2011 Mikko Hypponen

I'm humbled by all the great feedback I received for my talk, both on location in Edinburgh and now online.

Thanks all,


Monday, July 18, 2011

Military Targets Posted by Mikko @ 12:08 GMT

There's a lot of talk about targeted attacks against defense contractors.

military targets

These attacks are still continuing.

We found this sample last week (md5: f393f34f268ddff34521d136e5555752).

It's a PDF file, apparently sent to an employee of a targeted company as an email attachment.

When opened in Adobe Reader, it exploits a known Javascript vulnerability and drops a file called lsmm.exe. This is a backdoor that connects back to the attacker, who is waiting at IP addresses and

After this, a decoy PDF file is shown to the end user. The decoy is a call for papers for 2012 AIAA Strategic and Tactical Missile Systems Conference, which is a US conference classified as SECRET:

AIAA Strategic and Tactical Missile Systems Conference (SECRET/U.S. ONLY)

The target of this attack is not known to us.


Friday, July 15, 2011

On Android threats Spyware:Android/SndApps.A and Trojan:Android/SmsSpy.D. Posted by ThreatSolutions @ 11:51 GMT

Android malware seems to be all the rage at the moment. Here's a few comments on a couple interesting side issues we've been discussing as we've seen them crop up during analyses.

First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as 'free apps'.

The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps. The earlier versions didn't ask for anything other than Internet access:

permissions_internet (104k image)

However the later versions get a bit more personal than that:

application_permissions (47k image)

new_permissions (169k image)

With the changes, the app is able to access various bits of information from the device: the carrier and country, the device's ID, e-mail address and phone number.

services (92k image)

The information is sent out to a remote server.

An additional twist this app pulls is that it includes a little icon that when clicked, leads the user to other apps which presumably, they might like to try. The apps being promoted also appear to show the same suspicious behavior.

applications (66k image)

What was interesting is that both the earlier 'unremarkable' and later 'suspect' versions of the app appear to be from the same developers:

comparison (56k image)

It appears to be a case of questionable new behaviors being added at a later date to an existing app, and not a repackaged app with foreign malicious routines added. We're still looking into various aspects of this; for now, based on the observed behavior, we detect these applications as Spyware:Android/SndApps.A.

This case is interesting to us as we see it as an evolution in Android application development, specifically 'greyware'. This kind of behavior seems to bear out one of our earlier predictions, where an 'established' developer would be able to push out an update containing suspicious/unwanted/unethical routines, which may invade the user's privacy.

The newly added routines could include obtaining user information that can be used for other purposes, like sending marketing advertisements or spam. At worst, the details may be sold to a third party. We would have no way of knowing what is being done with the information.

In another case even more recently, we've been discussing the odd behavior of another reported Android app, this time a trojan.

It didn't make sense that the trojan intercepted an SMS message and then reported it to a loopback address:

smsspy_loopback (131k image)

From our investigation, it seems like this app might be a test program. We detect this as Trojan:Android/SmsSpy.C.

However, one of our threat hunters did find a file (SHA1: 7d8004b107979e159b307a885638e46fdcd54586) that appears to be more useful:

smsspy_link (160k image)

That looks more like the real deal. We detect this as Trojan:Android/SmsSpy.D.


Analysis and post by: Zimry, Irene, Raulf and Leong


Thursday, July 14, 2011

TED Posted by Mikko @ 09:19 GMT

I remember discovering TED.COM in late 2006. Since then, I've watched or listened hundreds of TED Talks, each of which lasts only 18 minutes. My favourite ones include Stephen Wolfram's Computing Theory of Everything and Ric Elias' 3 things I learned when my plane crashed.

So, in 2009 I attended TED in Long Beach, California. Attending a TED conference isn't straightforward: you need to apply and have two people recommend you. Sitting in the same audience with people like Al Gore, Bill Gates and Paul Simon blew me away. I wanted to do a TED Talk myself.

I've always been lucky. So earlier this year I was invited to speak at TEDGlobal 2011.

TEDGlobal 2011 Stage - Photo: Robert Leslie / TED
Photo: Robert Leslie / TED

TEDGlobal 2011 has been a blast. I did my talk yesterday to a crowd more intensive than I've ever seen. It went well.

Mikko Hypponen doing his TED Talk at TEDGlobal 2011 - Photo: James Duncan Davidson / TED
Photo: James Duncan Davidson / TED

I believe it's the only TED Talk I've seen that used an overhead projector and transparencies, as commented here by comedian Robin Ince:

Robin Ince TED 2011

I'll let you know when the video is posted to TED.COM.

Thanks to everybody who helped me pull my talk together, especially Misha Glenny, Petteri Kankkunen, Juuso Koponen, Joachim Viide, Jani Kenttälä, Miguel Rodriguez and F-Secure Labdev!


Friday, July 8, 2011

Wanted: Internet Security 2012 Beta Testers Posted by Sean @ 13:40 GMT

Do you enjoy bug hunting? Do you like to test software?

Our F-Secure Internet Security 2012 Beta launched a couple of weeks ago, and it's off to a very promising start.

F-Secure Internet Security 2012 Beta

There are some small UI changes — such as our new Launch Pad.

Launch pad

And it's been modularized into two components: Computer Security and Online Safety.

Online Safety dialog

Under the hood, Internet Security 2012 comes with our latest behavioral engine: "DeepGuard 4".

And our software isn't the only thing that's been updated.

The Innovation and Customer Involvement team has a new portal. Beta testers can now submit and track bug reports and they can be directly accessed by the developers.

We also have a new public "forum" at:

F-Secure Community

Our new Community is for more than just testers. Existing customers are welcomed to participate as well.

If you're interesting in trying and testing Internet Security 2012, please visit the Labs' Beta Programs and read the details! Cheers.


Thursday, July 7, 2011

JailbreakMe Lulz Posted by Sean @ 22:01 GMT

Perhaps you've heard the news? JailbreakMe 3.0 went live yesterday.

What's JailbreakMe? It's an easy way to jailbreak an Apple iOS device using a PDF (related) vulnerability.

It's done with a "drive-by" style exploit.

All somebody needs to jailbreak their (newer) iPad/iPhone/iPod is to visit and to touch the free/install button. The German Federal Office for Information Security has issued a warning about this. They're concerned about the potential for targeted malicious attacks using trojanized versions of the JailbreakMe exploit.

And that's certainly possible, in theory.

We've been asked: do we anticipate any attacks against iOS devices?

Targeted attacks? No, not really. It could happen, but we don't really anticipate any as such.

However, we wouldn't be at all surprised if some AntiSec hacker group attempted something "for the lulz".

And just how would somebody attack iOS devices? Via attachments?

Attachments? No. E-mail is so not the attack vector in this case (never was on an iOS device). What folks should be careful with are their social media apps, particularly Twitter.

A Twitter account belonging to Fox News was recently hacked and used to declare the death of Barack Obama. That hacked account could just have easily posted malicious links.

Heck, the links wouldn't even need to be malicious.

We can easily imagine AntiSec hackers tweeting links directly to jailbreak PDF files. When somebody clicks on such a link from their Twitter app, it would open Safari — as Apple doesn't allow for other default browsers — and then Safari would attempt to view the PDF. And then… jailbreak.

In the current AntiSec climate, the hackers might even claim that they're doing people a favor. After all, currently, the only PDF patch available is made for jailbroken devices.

You might want to be very careful what you click on between now and the time Apple releases iOS 4.3.4.

Here's a list of our JailbreakMe 2.0 posts from August 2010 (much of it is still relevant):

  •  JailbreakMe 2.0 for iOS 4
  •  JailbreakMe 2.0 Uses PDF Exploit
  •  How many ways can you remotely exploit an iPhone?
  •  Questions and Answers on the JailbreakMe Vulnerability
  •  Apple Patches the JailbreakMe Vulnerability

Prediction: Next year's JailbreakMe 4.0 will be very interesting because of iOS 5's Twitter integration.

Wednesday, July 6, 2011

Is this a Google privacy fail? Posted by Sean @ 15:32 GMT

March 2010: my Google Profile was "not yet eligible" to be "featured" in Google's search results. My profile was private and Google was attempting to get me to make it public.

I thought that was a clever use of reverse psychology, so I took a screenshot and posted it to Twitpic.

Your profile is not yet eligible to be featured in Google search results

Today I read that Google will be deleting all private profiles after July 31. This is related to Google+ migration.

Public profiles

So I decided to review my ("private") profile to see if there was anything that I needed to save.

And then I discovered that my profile was no longer private.


Google said that my full name was not being displayed on my profile page.

So I opened another browser to test this out:


It was small comfort that my full name wasn't displayed on my profile, because it – was – displayed under the Buzz tab.

So next, I "unshared" everything that I had shared via Google Reader.

Your shared items

And then, I examined my "Sharing settings".

Sharing settings

My settings were configured to: "Protected (Shared with selected groups)".

Protected? Well it sure seems like it was public to me!

I use Google for search, and not share. And I think I'll keep it that way…

If you haven't reviewed your Google Account settings lately, I highly recommend using Google Dashboard (and soon).



Monday, July 4, 2011

Congratulations!!! You won £2m pounds: SMS 419 Scams Posted by Sean @ 17:03 GMT

Topi Kanniainen, from Digitoday contacted us regarding an SMS advance fee fraud (419) scam message that he received.

It turns out that a member of our Threat Research team has also received such a message, back in January — he saved it.

Here's what it looks like:


Google Apps?

The (cloud friendly) scammers probably built and paid for it using stolen funds.

So what happens if you call the number?

Believe it or not, there's actually somebody on the other end of these phone numbers that answer if called. If they think you sound vulnerable, they'll attempt to scam you in a variety of ways.

We called the number from Topi's SMS with one of our "burn" phones and uploaded the results to the Labs' YouTube channel.

Advance Fee Fraud (419) SMS

Heh, guess he didn't like that we were calling from Helsinki.

If you receive a text message such as this, the best course of action is to do a Web search for the sending number. It doesn't take very long before you'll find some crowd-sourced information, typically on websites such as WhoCallsMe.

Here's the story published by Digitoday: Uusi huijaus vaanii suomalaisia – älä soita tähän numeroon. [Finnish]

Updated to add on July 7th: Here's another example — this one from our Swedish office.

You have won £990,00.GBP. Pounds in NOKIA UK PROMO.

Notice the number starts with +44 (70). That's a "personal number" that can be routed anywhere.


Friday, July 1, 2011

Facebook Apps IFrame Flaw Used For Phishing Posted by Sean @ 18:59 GMT

Yesterday's post made note of a spammer that has figured out a way to embed his Cost Per Action (CPA) surveys into a Facebook application at

An observant reader called Matthew wrote to inform us of a phishing attack that uses the very same technique.

The phisher's form fits seamlessly into

Account Security on Facebook

Fortunately, this still appears to be in the early stages, and the statistics indicate it isn't widespread.

Department of Facebook Security

Department of Facebook Security? Cute.

An IFrame on the app's page is the source of the problem:


Not the application.php page, but the app's page. (We're not sure what it's called… the page one ends up on if the "Go to App" button is clicked.)

The IFrame is loaded from a compromised website, which appears to be a clothing webshop, It's hosted in Indonesia.

We attempted to fill out the phishing form, at the source, with some bogus information, and got this prompt:

The password you entered is incorrect

The form appears to be testing the details when entered.

The website also discourages right-clicking.

Right click is not allowed on this page.

There doesn't appear to be much talk of this on Facebook. It could be that phishing links are being e-mailed to potential victims.

Here's the one example we found:

Security Warning From Facebook

Facebook introduced IFrames to applications several months ago. Trend's Rik Ferguson blogged about the issue in February.

David F. Carr at InformationWeek wrote Facebook iFrames: Good For Business, Bad For Security? on March 21st.

And now it looks as if the issue may finally need to be addressed. Hosting spam, phishing and malware on via IFrames could quickly become a very serious headache.

We been in contact with Facebook' security team and they're looking into the issue.

Updated to add on July 4th: Facebook's security team blocked the apps shortly after we made contact with them.

Meanwhile, yesterday, Sophos "security chap" Graham Cluley blogged about additional versions.


Facebook has blocked these as well.

When we went to examine the "suport" URL, we accidentally typed two "p"s instead of one, and discovered yet another phishing app.


The Facebook app is online, but the IFrame is obsolete, and the phishing site component is not active.

Could be more of these lurking about, take care.