NEWS FROM THE LAB - August 2012


Friday, August 31, 2012

The t2'12 Challenge: Do you have what it takes? Posted by Sean @ 12:48 GMT

Who is this woman?

The carder's girlfriend?

She (her homepage) is your first lead in cracking this year's t2'12 Challenge.

It's set to be released at 10:00 EEST on September 1st. That's 8:00 AM in the U.K. – so get a good night's sleep! And if you're on the east coast of North America, that's 3:00 AM – perhaps you should take a nap…

You'll need "ninja skills" to win the challenge. Here's the description from t2'12:

"A well known carder gang needs to be found and taken down, and it requires an investigator with ninja skills to do it."

"…each gang member possess a piece of an image file that is known to be incriminating evidence and enough to put the whole gang behind bars. The only lead we have is the homepage of a young woman who is supposedly the girlfriend of one the gang members. Your mission, should you choose to accept it, is to find all gang members and their pieces of the image file."

Both speed and style can earn you a victory.

And your reward for success? Free tickets to the t2'12 infosec conference.


The authors of the t2'12 Challenge are Tomi Tuominen and our own Timo Hirvonen.


Good luck!

Update: the t2'12 challenge has been solved. But it's not to late… there's still a chance to win reward via style.


Thursday, August 30, 2012

Java SE 7u7 AND SE 6u35 Released Posted by Sean @ 18:04 GMT

Oracle has released an update for Java, version 1.7.0_07. Also of note, there's a version 1.6.0_35 that also patches vulnerabilities. You can download the installers from here.

Java Updates SE7U7/SE6U35

From Oracle:

"This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2012-4681."

Emphasis ours. The information page is currently blank for us. Hopefully it will replicate soon.


Tuesday, August 28, 2012

Blackhole: Faster Than the Speed of Patch Posted by Karmina @ 16:10 GMT

And before Oracle can release a patch for the new Java zero-day exploit that we wrote about earlier today, Blackhole waltzes onto the scene with an update of its own. So the exploit kit users can now avail of the latest BH, now with the new CVE-2012-4681 exploit.

We wonder if this will actually spike Blackhole sales.

The authors seem to be in such a hurry that they can't think of new names anymore (click the images for a larger view):

Blackhole code

Blackhole code

There being no latest patch against this, the only solution is to totally disable Java. Since this is the most successful exploit kit + zero-day… qué horror. Please, for the love of your computer disable Java on your browser.

The JAR is detected as Exploit:W32/CVE-2012-4681.A (SHA1: 15fde2d50fc5436aa73f3fd6b065f490259a30fd).

Post by — Karmina and @TimoHirvonen


Java Runtime Environment = Perpetual Vulnerability Machine Posted by Sean @ 11:49 GMT

Well folks… the perpetual vulnerability machine that is Oracle's Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (CVE-2012-4681). And it's being commoditized at this very moment and will very soon find its way into popular exploit kits such as Blackhole.

Then, if you happen to have Java (JRE) installed, and have the browser plugin(s) enabled… you're at risk of a drive-by download. Based on the details we've examined thus far, all browsers can be exploited (though Chrome seems to be a bit of an open question).

No Java (JRE)

And because Java (JRE) is cross-platform, this potentially opens a door to non-Windows attacks… if the attacker has an appropriately configured payload to drop.

Uninstall Java (JRE) if you don't need (or use) it. If you do need (and want) it, then at least disable the browser plugin(s) when its not in use. You could also consider installing an extra browser exclusively for Java based sites.

How you mitigate this seemly constant vulnerability? Tell us in this poll:


Monday, August 27, 2012

Video: Mikko @ Hack In Paris Posted by Sean @ 12:38 GMT

Mikko recently gave a keynote presentation at this year's Hack In Paris. The presentation — Where are we and Where are we Going — is now available for viewing on YouTube.

The slides can be downloaded from here.


Tuesday, August 21, 2012

Download: Threat Report H1 2012 Posted by Sean @ 11:54 GMT

Our summary of notable malware research is now available in our Threat Report for H1 2012, covering January to July. 2012 has seen some very significant milestones. From Mikko's foreword:

"Just like modern hi-tech research revolutionized military operations over the last 50 years, we are going to see a new revolution, focusing on information operations and cyber warfare. This revolution is underway and itís happening right now."

"It's important to understand that cyber warfare does not necessarily have anything to do with the Internet."

But don't let the talk of warfare distract you, criminals were still as busy as ever. Our report includes the following case studies:

  •  ZeuS & Spyeye
  •  Flashback
  •  Blackhole
  •  Mobile Threats
  •  Ransomware
  •  Rogueware

You can download the report from the Labs section of our site.


Blackhole in Spam


Monday, August 20, 2012

Safe Parking Posted by Mikko @ 16:31 GMT

Our blog reader Patrick Borsoi was traveling in Italy during the summer.

In San Remo, he spotted this parking meter:

F-Secure blocking malware on a parking meter.

Yes, that's F-Secure Anti-Virus. Blocking malware. On a parking meter.

No, we don't know which malware was blocked. Most likely some network worm.


Friday, August 17, 2012

Your Source For More Sophisticated Intel Posted by Sean @ 12:50 GMT

The amount of malware in the world can be counted in many different ways. Here at F-Secure Labs, we prefer a more conservative approach to enumerate threats. It seems others prefer this method as well:


Thank you for noticing our efforts, H-Security.

The Android statistics above are from our Mobile Threat Report for Q2 2012. All of our reports are available on the F-Secure Labs section of our site. Check them out.

Room 101
The not atypical workspace here at F-Secure Labs… very sophisticated.

Teaser: there's more intel coming soon…


Thursday, August 16, 2012

A ZeuS variant that asks: No sound? No way. Posted by Sean @ 14:05 GMT

We rely on a good amount of automation and virtualization in our battle against malware. Our opponents, malware authors, know this and they frequently employ new tactics to avoid being processed by our back end systems.

One particularly prevalent threat is a "banking trojan" called ZeuS. In the past, we've written about a ZeuS variant that might not infect slow computers as a result of aggressive anti-debugging techniques.

Well, today we analyzed a recent ZeuS variant and discovered that it checks to see if its environment is "normal" by looking for the presence of an audio card from the Windows Registry.

ZeuS, audio_check

The entry checked is:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW{96E080C7-143C-11D1-B40F-00A0C9223196}

If that entry isn't found, it will create a stack overflow by entering infinite recursion. It most likely does this as an anti-virtualization measure. For example, it fails to run in some standard configurations of VMware. We (and most likely other AV vendors) don't use standard visualization software in our automation. But this could possibly frustrate some more hands on analysts, such as those that work for bank security.

Here's the variant's SHA1: 73a7c4af7f0d9bc28e1a9f9c293009515dbb65ad

Analysis by — Marko and Mikko S.


Tuesday, August 14, 2012

Recommended: An Insider's View of China and Sina Weibo Posted by Sean @ 12:53 GMT

Do you want to better understand Chinese hackers? If so, then you really need to better understand China.

Context matters.

Rui Chenggang is the anchor of "BizChina", a business show on China's CCTV International. He's a man with a daily television audience of up to 300 million people, and he has nearly 5 million fans on Sina Weibo, China's version of Twitter. He's possibly the most well known guy you've never heard of before.

Rui Chenggang

Chenggang's two-part series, China's Economy – The Insider's View, on the BBC World Service is one of the more unique points of view that we've encountered recently. It's definitely worth a listen.

China's Economy – The Insider's View: Episode 1; Episode 2

And regarding Sina Weibo, to better understand a society, you should better understand its use of social media. For more analysis on how Chinese use of Weibo is affecting public activism, check out another two part series from the World Service.

It Started With A Tweet: Episode 1; Episode 2

The series presents several interesting case studies and mirrors the findings of a recent Harvard paper on: How Censorship in China Allows Government Criticism but Silences Collective Expression [PDF]

Happy listening.

Edited to add: From PRI's The World: Chinese Microblogging Site Weibo Turns Three

"Weibo, China's closest cousin to Twitter, turned three Tuesday. It now has 350 million users who engage in a vigorous virtual square."


Friday, August 10, 2012

Gauss: the Latest Event in the Olympic Games Posted by Sean @ 15:26 GMT

The folks at Kaspersky Lab unveiled their latest "nation state sponsored" discovery yesterday, and they call it… Gauss. It is so named because its "modules have internal names which appear to pay tribute to famous mathematicians and philosophers, such as Kurt Godel, Johann Carl Friedrich Gauss and Joseph-Louis Lagrange."

Gauss was discovered during the "Flame" investigation, which itself has connections to Stuxnet — which in turn was part of a U.S. espionage project code named "Olympic Games".


Here are some additional things of interest regarding Gauss.

According to the analysis, Gauss targets several Lebanese banks and monitors transactions (such as a banking trojan would do).

That's quite something when considered in context with this Wall Street Journal story from April:

U.S. Probes Lebanon Banking Deals

Here's another notable detail: Gauss will not install itself if antivirus software is present.

Also, Gauss doesn't like Windows 7 SP 1.

Gauss exits if Antivirus is found.
Source: Kaspersky Lab [PDF]

Then there's this little nugget:

Gauss Traffic Encryption, ACDC
Source: Kaspersky Lab


That caught Mikko's attention.

Finally, given how the Olympic Games story has evolved, it makes "paranoid" minded folks such as us read this August 6th story from the Wall Street Journal about Standard Chartered bank allegedly laundering $250 billion worth of Iranian funds in a whole new light…

N.Y. Regulator Accuses Standard Chartered of Illegal Transfers

Wired's Kim Zetter has a good summary of Kaspersky's findings: Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload.

Tuesday, August 7, 2012

Download: Mobile Threat Report, Q2 2012 Posted by ThreatSolutions @ 04:09 GMT

Here comes the Q2 2012 Mobile Threat Report, detailing the threats that F-Secure Labs analyzed between April to June 2012.

Download your copy here: Mobile Threat Report, Q2 2012 [PDF].

mtrq22012 (189k image) threat_by_type (50k image)