Thursday, July 26, 2012

1992 Posted by Mikko @ 15:40 GMT

It's time for the annual greetings from Vegas. Yes, it's the week of Black Hat and DEF CON.

black hat 2012

This time around DEF CON is celebrating it's 20th anniversary. The very first Vegas hacker party organized by Jeff Moss was in the summer of 1992.

I wasn't in Vegas in 1992 - my first DEF CON was DEF CON 7 in 1999.

So I started thinking where I was in the summer of 1992 and what was I doing. I went through my archives. Turns out I spent the summer of 1992 analysing the very first Windows viruses. Before this, we had been spending our time with MS-DOS and Mac malware.

Here's a write-up published in our "Update Bulletin 2.06, 1992":

WinVir - a true alarm

F-Secure has analysed the first Windows specific computer virus. It recognizes the Windows NE files and uses direct action methods against Windows applications. The virus does not infect normal DOS applications. The virus sample was received from Sweden. The exact origin of the virus is not known.

The results of preliminary analysis are as follows:

  • The virus infects only Windows EXE files
  • The strings `Virus_for_Windows v1.4' and 'MK92' are embedded in the code
  • The virus infects only Windows applications. The infections are generated at the moment of executing an infected application.
  • As a result of the infection mechanisms used by the virus an infected file does not start with first double click but only with the second. The virus does not constitute a major threat to Windows users. It is not a very efficient infector and does not try to harm data.
The infection procedure:
1. The virus is activated when an infected application is executed.
2. The virus searches for a file suitable for infection from the
default directory using MS-DOS INT 21h, AX=4E, 4F services
3. If no targets can be found, the execution is finished with the
call INT 21h, AX=4C00. The actual Windows application is not
4. If targets are found, they are opened one by one and the time
stamps saved in memory.
5. The MZ and NE headers are checked.
6. Several values are checked from the NE header.
7. The virus code is added in the middle of the application.
8. The replaced code is moved to the end of the application.
9. The CS:IP from the NE header is changed to point to the
beginning of the viral code.
10. The virus deletes its code from the original file and rebuilds
it to a functional state,
11. The execution is finished.

Other observations:

  • After the virus code is executed, the original application is not executed. This will seem as a failed double click. As the virus rebuilds the original file if it manages to infect a new file, the next attempt to execute the original application is successful.
  • The infected files grow with 854 bytes.
  • The infection does not change the time stamp of the target application file.
  • The virus is not encrypted or protected in any way.
  • No activation routines could be found.
  • The name of the infector application and the name of the infected file is saved in the virus code.

Wow. A Windows malware which is all of whopping 854 bytes in size. Times sure have changed.

Signing off,

Monday, July 23, 2012

Emails from Iran Posted by Mikko @ 10:22 GMT

Over the weekend, I received a series of emails from Iran. They were sent by a scientist working at the Atomic Energy Organization of Iran (AEOI).


The scientist reached out to publish information about Iranian nuclear systems getting struck by yet another cyber attack.

He wrote:

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert.

There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC.

I'm not sure what to think about this. We can't confirm any of the details. However, we can confirm that the researcher was sending and receiving emails from within the AEOI.



Wednesday, July 18, 2012

APTFC Posted by Mikko @ 15:06 GMT

"APT" is a term created by the U.S. Air Force to describe Chinese threat actors.

The most common case where term APT is used is a targeted attack. Most of which are done via spoofed email messages. Most of which contain booby-trapped document attachments. Most of which show some actual content to the victim in order to fool him to believe the document was actually useful.

Which is why it's interesting to look at the documents, as they quite often tell us more about the attackers and the victims.

Here are some recent examples of malicious document files used in APT attacks. All of these were received anonymously via sample feeds and scanner aggregationers, so we don't know who were the real targets.

Targeted attack APT

Targeted attack APT

Targeted attack APT

Targeted attack APT

Targeted attack APT

Targeted attack APT

All of the above document files contain an exploit and drop a backdoor when viewed.

These files are blocked by F-Secure Antivirus.

Here are the SHA1 hashes of these samples:


Saturday, July 14, 2012

Cyber Armament Posted by Mikko @ 14:58 GMT

Over the last 25 years we've seen a massive change in how we think about information.

In the 1980s, information was mostly still analogue. It was stored on paper, in binders, on shelves and in safes.

Today, of course, almost all information is digital. It's created and stored on computers and transmitted over computer networks.

From a security viewpoint, this means that secret information can now potentially be reached from anywhere in the world; you no longer have to physically be where the information is.

This means that espionage has also gone digital - and while we've seen several cases of nation-state espionage done with backdoors and trojans, we've seen only one documented case of a nation-state doing cyber sabotage with malware. That case is Stuxnet.

During my years in this industry I've seen multiple mysteries, but few of them have been as interesting as the case of Stuxnet.

F-Secure Labs estimates that it took more than 10 man-years of work to develop Stuxnet. Related attacks like Duqu and Flame might have taken even more.

Stuxnet had a "kill date" of 24 June 2012, which means the worm has now stopped spreading. But that has little significance, as the operation had already been active for years and reached most of its targets already by 2010.

Stuxnet is a good example of the thinking behind these new kinds of offensive attacks: If you want to disrupt the secret nuclear programme of a foreign nation, what can you do?

Well, you have a couple of options. You can try international pressure and boycotts. But if that doesn't work, then what? You can try a conventional military attack and bomb their facilities. However, attribution back to you as an attacker is a problem. So is the fact that you can attack only the facilities you know about.

Using a digital attack like Stuxnet has several advantages. Especially, it provides deniability.

Stuxnet was obviously a game changer. But what does it mean in the long term? I think we are now seeing the very first steps of a new arms race: The cyber arms race.

Just like modern hi-tech research revolutionised military operations over the last 50 years, we are going to see a new revolution, focusing on information operations and cyber warfare. This revolution is underway and it's happening right now.

We haven't seen real online warfare yet, of course. This is because thankfully we haven't lately seen wars between technically advanced nations. But any future crisis is likely to have a cyber component as well.

It's important to understand that cyber warfare does not necessarily have anything to do with the internet. Many of the more devastating cyberattacks can not be launched remotely, as the most critical networks are not connected to the public network.

Think along the lines of a special forces unit going deep into enemy territory with embedded geeks in the team, to dig up fibre-optic cable to be able to reach the systems that were supposed to be unreachable.

The main point of any arms race is to let your adversaries know about your capabilities so they don't even think about starting a fight. We're not yet at this stage in the cyber arms race. Almost all of the development in this area is secret and classified.

However, eventually it will become as public as any other defence technology. Maybe we'll eventually see public cyberwar exercises where a country will demonstrate their attack capabilities. Maybe we'll eventually see cyber disarmament programmes.

Defending against military strength malware is a real challenge for the computer security industry.

Furthermore, the security industry is not global - it's highly focused in just a handful of countries. The rest of the world relies on foreign security labs to provide their everyday digital security for them. For example, there are only around 10 virus labs in all of Europe, and the vast majority of the countries have no labs of their own.

On the internet, borders don't really matter. But in time of crisis, they do.

Mikko Hypponen
This column was originally published on BBC.


Friday, July 13, 2012

Multi-platform Backdoor with Intel OS X Binary Posted by Brod @ 11:45 GMT

Karmina wrote about a malware targeting multiple operating systems on Monday.

The Mac OS X sample that time was a PowerPC binary. Yesterday, we received an Intel x86 version in our backend systems which appears to have been used in a similar type of attack.

Social-Engineering Toolkit (SET) attack files

Nothing fancy. This time the sample uses the server, which was not accessible during our analysis. It uses the ports 8080, 8081, 443 for OS X, Linux and Windows respectively.

The payloads remain the same, with only their implementations changed. Instead of connecting to the remote server to get additional shellcode to execute (which then opens a reverse shell), the OS X binary immediately opens a reverse shell. Attackers with access to the shell are able to do pretty much anything with the system.

The Linux binary remains the same except that it is using a different server. In Windows, the same payload routine is now in the form of a shellcode:

Windows payload in shellcode form

The shellcode is executed using the SET module shellcodeexec.binary. In a nutshell, despite being in a different form and using a different server and port, the behavior of the Windows payload remains the same.

The files are detected as:

Backdoor:OSX/TESrel.A (MD5: 0c6f52069afb3e8f0019f6873fb7a8b0)
Backdoor:Linux/GetShell.A (MD5: 2241851dfb75b3562f4da30363df7383)
Backdoor:W32/TES.A (SET module shellcodeexec.binary / MD5: 7a0fcd15ee1c2d9d196ab6515adf2f87)

The appearance of these samples in our backend indicates that the incident we reported earlier is not the only one out there.


Thursday, July 12, 2012

"There's never just one cockroach in the kitchen." Posted by Sean @ 15:57 GMT

There's a reaction to yesterday's post which suggests we find fault with Google for "not doing their job" by letting malware into Play.


We didn't take Google to task on the matter of prevention. It's about its response.

It literally took less than 10 seconds for us to locate a second dummy account being used to push alternate versions of Dropdialer. Google's Android Security team had already removed the first two threats more than six hours earlier. Why was the "Vahtang Maliev" account still online?

Does "Android Security" not know how to utilize Google Search?

Here, let's find another example of Dropdialer:

Google Search: GTA 3

Using "GTA 3", description, and yields yet another hit with the sixth result.

(Which took us less than 30 seconds to discover.)

Google Search result: GTA 3

And we're still able to pull the app's page out of Google Cache meaning it was only recently deleted:

Vitaliy Orlov, GTA 3 Stone City

This dummy account is for one Mr. "Vitaliy Orlov" and as you can see from the image above, similar bait was used as the other two accounts: GTA 3; Super Mario; Angry Birds; and Cut the Rope.

Hmm. Cut the Rope? Yeah, we've seen that before: last Decemberrepeatedly.

Guess Android Security didn't learn the lesson that "there's never just one cockroach in the kitchen."

When a new threat is identified — start searching for more.

Google's "Bouncer" is designed to prevent malware threats from getting into Play.

Now perhaps Google just needs to take Android security seriously enough to invest in "response" systems.

Seriously, given the massive firepower of Google's back end… once a threat is identified, it really shouldn't take more than six hours for Android Security to hunt down and terminate additional versions of the scam.

We expect better.


Wednesday, July 11, 2012

Google Play Fails to Remove All Super Mario Malware Posted by Sean @ 11:43 GMT

Malware has been found once again on Google Play according to this post by Symantec's @Irfan_Asrar.

Android.Dropdialer poses as a "Wallpaper" app but it also happens to install an additional app which then sends a premium rate SMS.

Asrar analyzed two versions found on Play that used video games as bait. Good news: Android Security removed the apps identified by Asrar. Bad news: there are more malware apps currently on Google Play. When something works once, bad guys will try it again.

With that in mind we used Google Search and we found more examples (in less than 10 seconds).

Google Play, Search

Here's another version of the "Super Mario Bros." app:

Vahtang Maliev, Super Mario Bros.

GTA 3: Las Vegas (Asrar located a Moscow City version):

Vahtang Maliev, GTA3 Las Vegas

Instagram After Effects:

Vahtang Maliev, Instagram

FIFA 11 Russian Edition:

Vahtang Maliev, FIFA 11

Odnoklassniki Life:

Vahtang Maliev, Odnoklassniki

Here's something clever…

Premium rate SMS numbers only work within a particular country. So, this malware is "incompatible" outside of profitable networks.

This app is incompatible with all of your devices.

This limits the malware to its target group, as well as making it more difficult for antivirus researchers to collect samples.

Kudos to Asrar for identifying the threat. Better luck next time to "Android Security".

Updated to add:

Here's a video demonstration of the Vahtang Maliev version of the Super Mario Bros. Dropdialer:

YouTube: Dropdialer: Super Mario Bros. Version


Monday, July 9, 2012

Multi-platform Backdoor Lurks in Colombian Transport Site Posted by Karmina @ 16:06 GMT

We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.

Here is what is shown if visited using Windows:

ff_sig (46k image)

And using MacOS:

mac_sig (52k image)

The JAR file checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform.

jar_code (123k image)

All three files for the three different platforms behave the same way. They all connect to to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively.

The files are detected as:
Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)

The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta:

intel (30k image)

The C&C and hacked website have been reported.

Thanks to Brod for the payload analysis.


Changed typo error on IP address (from to Thanks Costin for spotting this!

The JAR file appears to be generated using the Social-Engineer Toolkit.


Not Your Normal Skype Download Posted by Karmina @ 15:14 GMT

We recently stumbled upon a website that supposedly provides the application Skype for Android devices.

When visiting the website using an Android device, it shows an APK file (skype52_installer.apk) for download:

skype_apk (25k image)

However, accessing the website using an iOS device yields to the screenshot below:

skype_iphone (24k image)

The new application is being verified and deployed: skype.ipa
Checking iphone_free_space

Afterwards, it informs the user that the installation is "complete":

skype_iphone_confirm (25k image)

Installation complete!
The new application skype is ready to install!
Enter your phone number to protect against illegal usage of this application, and follow instructions in a SMS message.

At this point, there are still no new application installed in the device. As expected, even after entering a number, nothing happens.

skype_iphone_sms (47k image)

Installation complete!
A free SMS message with confirmation request has been sent to you.

If visited using any other devices except for Android or iOS, it prompts for a JAR file (skype52_installer.jar):

skype_jar (216k image)

Thanks to Dmitriy for the translation!


DNSChanger Wrap Up Posted by Sean @ 14:17 GMT

Bye bye FBI. We can confirm that the DNS Changer Working Group's "clean DNS servers" are offline.

A popular move, at least based on last week's poll results:

DNSChanger poll results
Source: DNSChanger: should the F.B.I. be reauthorized to continue after July 9th?

But don't panic. According to reports, many major Internet Service Providers have configured their own substitute DNS servers and are continuing to work the problem.

The FBI is out — and ISPs are in. All in all, things are working out as they probably should in a case such as this. The infection count continues to decrease without a major crisis in support calls. (We've only received a couple from our own customers.)

Here's the top 20 country IP infection count from this weekend's data:

DNSChanger IP count
Source: @mikko

So, still some work to be done…

Kudos to the FBI and the DCWG for their efforts.

P.S. Checkout Mikko's "Case DNS Changer" collection on Pinterest for some interesting screenshots.


Wednesday, July 4, 2012

How to Monetize Facebook Pages Posted by Sean @ 15:05 GMT

We recently discovered an interesting post on a Cost Per Action (CPA) marketing forum. It's from June 13th.

"How to buy Facebook pages and Monetize them."

What it all about? Facebook spam.

Here are the basics:

How to buy Facebook pages and Monetize them

Searching for Pages to buy…

How to buy Facebook pages and Monetize them

How much do Pages sell for?

How to buy Facebook pages and Monetize them

Find your niche.

How to buy Facebook pages and Monetize them

So basically, join an CPA affiliate marketing network, find an ad, search for Pages using keywords related to that ad (a.k.a. "niche"), offer to buy the Page, and then… spam the folks that have liked the Page with "special offers".

Folks click on the offer, which eventually asks for something such as a phone number (for billing).


Do you ever wish all the "niche" seeking parasites would just go and find a job that actually contributes something to society?

Yeah, so do we.


Tuesday, July 3, 2012

iPhone "5" Posted by Sean @ 14:31 GMT

Apple's "world changing" iPhone celebrated its fifth birthday on Friday, June 29th.

Mikko's thoughts:

Want to give Mikko your feedback? Do it via Twitter, Facebook or this post's comments.

And now for something completely different:

YouTube: iPhone in a Freezer, circa July 27, 2007.


Monday, July 2, 2012

Should the FBI be reauthorized to continue DNSChanger servers? Posted by Sean @ 14:01 GMT

The latest DNSChanger deadline is rapidly approaching: July 9th. (The previous deadline was March 8th.) Just one week to go!

What's DNSChanger?

DNSChanger is an ad-fraud botnet that the F.B.I. and Estonian authorities busted late last year in Operation Ghost Click.

Operation Ghost Click?

"Click" as in click-fraud. Altering DNS server settings allowed the gang to do man-in-the-middle ad injections.

Man-in-the-middle ad injections? How did that benefit the bad guys?

Well, back around 2006, ad-fraud schemes used "click-bots" and when the issue started getting media attention… advertisers started complaining that Google wasn't doing enough to prevent click-fraud. And they threatened to sue over cost-per-click losses.

So Google put its engineers on the issue and now scripted click-bots are confronted with significant anti-fraud defenses. Google's automation is far better than the fraudsters. Bye bye click-bots.

So clever ad-fraudsters need to go "off-script" and get humans involved, thus, the ad-injection. The human "victim" isn't forced to click on the ad when they see it, so in a sense, it isn't really "ad-fraud" that can be predicted by Google's automated defenses. In that way, the man-machine bot (should it be called a cyborg?) combination makes money.

Very clever.

Yes. Which is possibly one of the reasons the F.B.I. took such an interest. That and the number of infected computers, which at one point, numbered over 500,000.

Wow, that's a lot. How many computers are still infected?

As of June 11th, just over 300,000 unique IP addresses were still registered by the "temporary" DNS servers.

Here's a breakdown of the top 25 countries:

Unique DNSChanger IPs, June 11
Source: Top DNS Changer Infections by Country

So what is the July 9th deadline all about?

Back in March, the U.S. District Court, Southern District of New York extended authorization for the substitute "temporary" clean DNS servers. If the authorization isn't extended yet again, the DNS servers will need to be shutdown.

What will happen then?

At that point, all of the affected computers will be cut off from DNS services. The computers will still be connected to the Internet, but they will not be configured with the "address book" that they needs to locate Internet resources.

Address book?

DNS servers convert URLs such as into IP addresses such as

Without DNS, you need to know the numeric address?


Sounds like it would be a real mess if the substitute servers are turned off. Do you think the court will re-authorize them?

Yes. But… should they?

Shouldn't they?

In six months, less than half of all the infected computers have been fixed. For just how long should the F.B.I. continue enabling these zombie computers? Sure, cutting off the DNS servers will cause some pain, but it just might be the fastest way to cure the remaining infections at this point. And to be frank, sooner is better because these computers are vulnerable to other infections as long as they remain bots.

Take this poll: should the F.B.I. be reauthorized to continue past July 9th?

Check your computer at: