FinFisher is a range of attack tools developed and sold by a company called Gamma Group.
Recently, some FinFisher sales brochures and presentations were leaked on the net. They contain many interesting details about these tools.
In the background part of the FinFisher presentation, they go on to explain how Gamma hired the (at-the-time) main developer of Backtrack Linux to build attack tools for Gamma. This is a reference to Martin Johannes Münch. They also boast how their developers have presented at Black Hat and DEF CON.
The FinUSB tool is used to infect computers via a USB stick. "Can be used e.g. by housekeeping staff".
According to the documents, the FinIntrusion kit can be used to record Usernames and Passwords from wireless networks even if the sites use SSL:
They also highlight that FinIntrusion can be used to steal user's online banking credentials:
The FinFly backdoor (deployed from a USB drive) "can even infect switched off target systems when the hard disk is fully encrypted with TrueCrypt":
FinFly Web exploit can be used to do drive-by-infections and can be integrated by a local ISP to inject the module into Gmail or YouTube when the victim accesses those "trusted" sites:
Another mechanism to infect the victim is to have the victim's ISP automatically poison all of his downloads to include the malware. This can also be done by modifying automatic software updates.
Interestingly, the description of FinSpy Mobile specifically mentions they support Windows Phone. This is the first reference of any malware for Windows Phone we are aware of.
The team is acting like a startup. The "we've maxed out our credit cards to make this dream fly" kind — not the sexy venture capital funded kind — as you can probably tell from the photo above. (Pay no attention to the empty bottle on Harri's desk.) But in any case, the team's project is in its early stages and they are open to and would very much appreciate feedback. And it will directly influence the app's development path.
Lokki is currently available for Android and iOS.
It's not yet available in all countries (legal mumbo jumbo is in progress).
All in all: 71 countries requested information on 38,000+ people. Facebook provided law enforcement information on approximately 25,473 people, based on the percentages of requests where some data was produced.
I copied the numbers to a CSV file if you feel like doing the math (or making a graph).
And just what kind of information might Facebook provide? Well, that you can test that for yourself if you have an account. Go to facebook.com/settings and click on the link to "Download a copy of your Facebook data."
You'll find some interesting details inside the data archive:
Including some inferred location data:
But such inferences are far from perfect.
I did in fact visit Germany in April:
But I haven't visited southern California in ages:
At least, not that I know of…
Why does the future suddenly feel like I'll have to start auditing log files for errors as if they were credit reports?
Had we moved forward with it, we would have needed to find a way to store MAC addresses anonymously. Because these days, it's entirely too easy for third-parties to seek or sell "business records" to be correlated. Can you just imagine if every CCTV in your city also logged your phone's Wi-Fi Mac?
For those of you interested in running an experiment, check out March's Linux Journal: Wi-Fi Mini Honeypot
But do be careful on what you collect, and how — it's a dangerously unregulated landscape.
"Imagine this: Suppose the NASDAQ community forum wasn't just compromised for its users' passwords — but also to use it as a watering hole. You thought the Twitter, Facebook, Apple, Microsoft watering hole attack compromises via the iPhone Dev SDK forum was bad? Well, I think that would be nothing compared to the kind of damage that could be done via NASDAQ."
Before we get to thinking that nothing is new under the Android malware sun, we get a small, but quite interesting surprise. An android malware that connects to SMTP servers to send an e-mail.
Other than the SMTP-usage, the malware is pretty vanilla. Upon installation, the application asks the user to activate device administrator to stay persistent in the mobile device. This threat does not add any significant icons in the application menu, rather the user would need to check the Application Manager before finding out that there is an app masquerading as "Google Service".
After installation, the application will collect sensitive user information such as phone number, incoming and outgoing SMS, and recorded audio to an email address. Then it makes use of SMTP servers, particularly smtp.gmail.com, smtp.163.com and smtp.126.com to send the stolen data. I smell something very China-ish here…
Below is a screenshot of the threat's attempt to connect to an SMTP server:
This threat was found to be usually downloaded in third party Android markets or malicious websites. We first saw this malware family a month ago, but has been active since. We're already detecting this threat as Trojan:Android/SMSAgent.C.
Dear Google — please don't take this the wrong way, but, well… I think you suck.
This hasn't always been the case. Once upon a time, I actually enjoyed using Google services.
But today — well, today I simply wanted to upload an old video to our Labs YouTube channel. Sadly, just after signing in, and before I could upload anything, I was accosted by a "request" to link the YouTube channel to a Google+ profile. And before I knew it — one Mr. "fslabs" had created a Google+ profile. Not great!
Here's a thought: perhaps you should first ask if the YouTube account is an "individual" BEFORE you try linking it to a G+ profile?
Because you didn't ask, "I" ended up with a new profile(s) for which "I" have no use. And undoing (deleting) the linkage from the "individual" profile to the "group" channel ended up disabling the channel. Then I needed to spend some time re-enabling and restoring it. And then I needed to reset the privacy settings for all of the existing videos.
Felt like extortion. (Evil.)
Now, I'm sure you have good reasons for all of this G+ "promotion" crap. And probably some bad ones, too.
I'm certain I made mistakes. I'm sure I missed some small cancel button during the process. And I think I located the "unlink" option in the YouTube settings somewhere after I had already disabled the channel by killing the G+ profile.
But you know what?
I really don't care anymore. I've had it with Google et al. I'll be looking into alternatives. (Vimeo, Dailymotion, et cetera.)
And my personal Google account? It's underused, but I've kept it around because it's "free".
(Google's security engineers can be trusted, I think.)
My decision to delete my Google account is purely a matter of me being fed up of Google attempting to drive me into yet another unwanted "social" network, just for the sake of its bloody search engine rankings and associated advertising machinery.
MiniDuke, a cleverly coded Adobe PDF exploit, made news back in February — it was used to target several European governments.
Now, more than ever, exploit prevention is a critical layer of defense. And that's why F-Secure Labs analysts such as Timo Hirvonen have become such experts on exploits — so our technology can be made better (with developers such as Jose Perez).
Here's a screenshot of our current DeepGuard behavioral engine tech vs. MiniDuke:
Blocked — proactively, without signature-based scanning or back end heuristics.
Exploit interception is one of our primary goals — because exploits are the front end of an attack platform.
More about our technology, and a case study of the ZeroAccess bot, is available from our whitepaper…
In the past few weeks we have been following the relatively new "police ransomware" family we call Trojan:HTML/Browlock. This ransomware is very simple, and just uses the browser to display a lock screen demanding the victim to pay a fake fine and plays tricks to prevent closing the browser tab.
Since we first saw it targeting folks in the US, Canada, and UK, we have been expecting it to expand to new countries. As expected, users in other regions are now seeing a localized message from their local law enforcement.
Here are the lock screens for Browlock as seen from different countries:
Almost all the ransomware families seem to have great difficulties in finding a translator to create localized lock pages with good quality. Readers that pay close attention (okay, any attention is probably enough) will notice some slight problems with the German localization:
For Canadians, the design of the lock screen has stayed roughly the same:
We did notice that the fine has dropped from 250 CAD to 150 CAD compared to a previous lock screen below. It seems that in today's economy, even ransomware victims can't be expected to pay up such high prices.
While the domain names change, all of the lock screens are currently being hosted on a single server in St. Petersburg:
We detect the lock screen as Trojan:HTML/Browlock.A.
I bet vulnerability researchers love Java. It seems that especially the 2D sub-component of Java has felt their love lately: since the out-of-band patch for CVE-2013-0809 and CVE-2013-1493 in March 2013, 2D has been the most patched sub-component with a total of 18 fixed vulnerabilities. Fortunately, CVE-2013-1493 has been the only one of these exploited in the wild.
On Monday August 12th, a link to yet another Java exploit was shared:
Unlike the Tweet says, the exploit is not 0day. It exploits CVE-2013-2465, yet another vulnerability in the 2D sub-component. The issue affects Java 7 versions up to update 21 but it has been patched in the latest version, Java 7 update 25. We have released a detection for the exploit (Exploit:Java/CVE-2013-2465.A) but so far we have not seen in the wild.
Even though CVE-2013-2465 is not exploited in the wild (yet), another Java vulnerability affecting Java 7 update 21 is: CVE-2013-2460. The exploit was introduced in Private exploit kit in July and since then we have seen it also in Sweet Orange exploit kit. In addition, Kaspersky has spotted the vulnerability being exploited in watering hole attacks (the JAR file mentioned in the post exploits CVE-2013-2460, not CVE-2012-4681).
Numerous organizations, including several banks and airlines, suffered serious disruptions because of Blaster which caused affected computers to reboot continuously. Can you imagine the difficulties that would cause today?
Vanity Fair's The Code Warrior, circa January 2004, offers a very entertaining long read on the topic.
His notification also includes the following words:
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
That's a strong statement.
So what's this all about? And why can't Levison share the details regarding his decision to shut down Lavabit? Well, his inability to talk is probably either due to a warrant or a national security letter (NSL). Here's the thing about an NSL — a lifetime gag-order comes attached.
There are only three organizations that have ever won the right to say they received an NSL of the hundreds of thousands issued.
Nicholas Merrill is one such individual, and he spoke about it to WNYC's Bob Garfield in 2011:
We have been following a malicious browser extension that claims to have been developed by various different software companies.
The extension installs itself into the browser and makes posts to social media sites such as Twitter, Facebook and Google+ on the user's behalf. One of the variants installs itself as "F-Secure Security Pack" — and trust us — it's definitely not coming from us.
The installer for this malware is commonly a self-extracting Winrar executable, although samples come packed in various other ways as well. We can take a peek at the contents of one of the samples:
The contents give a hint to what the malware installer contains: an extension for both Firefox and Chrome (the .xpi and .crx files).
The executables for this malware are signed using a certificate assigned to a company called "VIDEO TECH PRODUCOES LTDA":
It's unclear at this point if the certificate has been stolen or if there is some other connection between the company and the malware samples.
The installer registers an extension with the name of "F-Secure Security Pack" for Chrome:
The same happens for the Firefox browser, with slightly different registration details:
Depending on the targeted region, the malware uses different brands as the name of the malicious extension. For example, we've seen "Chrome Service Pack" for China, Dr. Web for France and Kingsoft for Brazil:
The extension itself is quite simple. It fetches an update from a command and control server and uses the information in this update to post to different social media sites. The comments in the source code are in Portuguese, giving also some hints to the origin of the malware:
Here's an example of the update information the malware fetches from the command and control servers for Brazilian users:
One of the settings automatically retweets a message. This setting was not enabled at the time of writing, but the message to be retweeted is still visible. We can see that this particular message has over 5000 retweets:
F-Secure detects this malware as Trojan.FBSuper or various other heuristic detection names, depending on the variant.
Apple's developer website for its Mac, iPhone and iPad products was taken offline about two weeks ago; shortly afterwards, Apple released a statement saying that the site had been suffered an intrusion.
Soon after, a grey hat Turkish security researcher, Ibrahim Balic, in London claimed responsibility for the intrusion in a video posted on his YouTube channel, in which he claimed that he had filed bug reports prior to the takedown of the website.
Although there has been no further comments or statements from Apple about Balic's claim, Apple does seem to be taking the occurrence seriously and is currently still working restoring their web services.
Now the issue is — why are developers, particularly iOS developers, being targeted now more than ever? The intrusion on the developer site, though allegedly done with benign intent, brings greater attention to the importance of securing developer accounts, and the potential consequences if such accounts are compromised and misused.
This is in light of an attack earlier this year on the popular iOS Mobile developers' forum iPhoneDevSDK, which successfully garnered victims from the big tech companies, like Apple, Facebook and Twitter and so on.
This was a textbook watering hole attack, where a hacker intending to attack specific users first compromises a site those users are likely to visit, in order to gather information or access they can later use for a more direct attack against the targets — in this case, the developers who were visiting the site.
Gaining access an application developers' personal information, which may be used later to compromise their developer accounts, could lead to great harm for users who trust the developer's products and reputation, particularly on the iOS platform.
Unlike Google's Play store or other app stores for the Android platform, penetrating and uploading a tainted application into Apple's Apps store has long been a challenge for malware authors, particularly as Apple's strict review policies has successfully prevented much rogue application activity in the 6 years since the first iPhone appeared.
To get around these barriers, malware authors are now targeting the developers themselves. Their real aim — to gain access to the developer's accounts on the App stores, from which they can essentially hijack the developer's reputation and products to push their own wares.
Channel 4 (a U.K. broadcaster) News has launched an experimental online identity project called: Data Baby. And the data baby's name is "Rebecca Taylor" — a very common name in the U.K. Channel 4 has issued a challenge: Can you find Rebecca Taylor?
The first clue on offer is Rebecca's e-mail: RebeccaTaylor0603@gmail.com.
Well, from that… it's easy to get this:
And a Google Images search yields this (and more):