NEWS FROM THE LAB - August 2013


Friday, August 30, 2013

FinFisher Range of Attack Tools Posted by Mikko @ 13:07 GMT

FinFisher is a range of attack tools developed and sold by a company called Gamma Group.

Recently, some FinFisher sales brochures and presentations were leaked on the net. They contain many interesting details about these tools.

In the background part of the FinFisher presentation, they go on to explain how Gamma hired the (at-the-time) main developer of Backtrack Linux to build attack tools for Gamma. This is a reference to Martin Johannes Münch. They also boast how their developers have presented at Black Hat and DEF CON.


The FinUSB tool is used to infect computers via a USB stick. "Can be used e.g. by housekeeping staff".


According to the documents, the FinIntrusion kit can be used to record Usernames and Passwords from wireless networks even if the sites use SSL:


They also highlight that FinIntrusion can be used to steal user's online banking credentials:


The FinFly backdoor (deployed from a USB drive) "can even infect switched off target systems when the hard disk is fully encrypted with TrueCrypt":


FinFly Web exploit can be used to do drive-by-infections and can be integrated by a local ISP to inject the module into Gmail or YouTube when the victim accesses those "trusted" sites:


Another mechanism to infect the victim is to have the victim's ISP automatically poison all of his downloads to include the malware. This can also be done by modifying automatic software updates.


Interestingly, the description of FinSpy Mobile specifically mentions they support Windows Phone. This is the first reference of any malware for Windows Phone we are aware of.



Thursday, August 29, 2013

Pity Team Lokki, They Have No Time to Enjoy the Sun Posted by Sean @ 11:41 GMT

We've had nearly a week of beautiful summer-like weather in Helsinki (which is not always the case in late August).

So why in the world is "Team Lokki" sitting in their room with the blinds closed?

Team Lokki

No time to enjoy the sun — because they've got a tight schedule to keep, developing updates for Lokki.

iPhone, Lokki splash

What's Lokki?

It's kind of a non-tracking tracking app. In other words, it's a lifestyle app that lets you share your location with a few select people.

No social networks. No big data. No histories.

Just you, your immediate family, and now also a few friends, sharing your current location.

You can read more here:

The team is acting like a startup. The "we've maxed out our credit cards to make this dream fly" kind — not the sexy venture capital funded kind — as you can probably tell from the photo above. (Pay no attention to the empty bottle on Harri's desk.) But in any case, the team's project is in its early stages and they are open to and would very much appreciate feedback. And it will directly influence the app's development path.

Lokki is currently available for Android and iOS.

It's not yet available in all countries (legal mumbo jumbo is in progress).

Here's a link to the Canadian iTunes page.

If you see this page in Google Play:


You can use this link from AppBrain, an Android app portal.


P.S. – A small word of caution for those of you in the United States, using the AppBrain referrer to circumvent Google's censorship could be considered in violation of the Computer Fraud and Abuse Act.

Just kidding, but also not. Maybe. It's time to reform the CFAA.


Wednesday, August 28, 2013

Facebook Transparency Posted by Sean @ 15:40 GMT

Facebook released a transparency report yesterday that covers the first six months of 2013.

Global Government Requests Report

All in all: 71 countries requested information on 38,000+ people. Facebook provided law enforcement information on approximately 25,473 people, based on the percentages of requests where some data was produced.

I copied the numbers to a CSV file if you feel like doing the math (or making a graph).

And just what kind of information might Facebook provide? Well, that you can test that for yourself if you have an account. Go to and click on the link to "Download a copy of your Facebook data."

You'll find some interesting details inside the data archive:

Data archive, security

Including some inferred location data:

But such inferences are far from perfect.

I did in fact visit Germany in April:


But I haven't visited southern California in ages:

southern California

At least, not that I know of…

Why does the future suddenly feel like I'll have to start auditing log files for errors as if they were credit reports?



Video: Government-Endorsed Surveillance Posted by Sean @ 13:00 GMT

IBTimes TV: Government-Endorsed Surveillance

Mikko on IBTimes TV

"This is not what we built the Internet for." ~ Mikko Hypponen


Tuesday, August 27, 2013

Android Malware: Pincer's Author Posted by Sean @ 15:57 GMT

Why does Internet security journalist Brian Krebs follow @senneco?

Found out the answer in today's Krebs on Security: Who Wrote the Pincer Android Trojan?


Monday, August 26, 2013

Wi-Fi Honeypots and MAC Address Surveillance Posted by Sean @ 12:45 GMT

On August 8th, Quartz published a report that recycling bins in the City of London were being used to collect the MAC addresses from phones passing-by. The scheme was halted by August 12th. On the 13th, I spoke with Danish reporter Jakob Møllerhøj about similar Bluetooth and Wi-Fi tracking that takes place in Denmark — to predict the flow of traffic on roads and human flows in airports.

And while traffic flow analysis is a very valuable thing for planners — in the light of a "prism" — this type of metadata collection is a very worrying trend.

Several years ago, we had our own Bluetooth honeypot project:

Bluetooth Honeypot

Had we moved forward with it, we would have needed to find a way to store MAC addresses anonymously. Because these days, it's entirely too easy for third-parties to seek or sell "business records" to be correlated. Can you just imagine if every CCTV in your city also logged your phone's Wi-Fi Mac?

For those of you interested in running an experiment, check out March's Linux Journal: Wi-Fi Mini Honeypot

But do be careful on what you collect, and how — it's a dangerously unregulated landscape.



Friday, August 23, 2013

NASDAQ's Community Forum Posted by Sean @ 15:35 GMT

Me, speaking to's Alastair Stevenson on July 18th:

"Imagine this: Suppose the NASDAQ community forum wasn't just compromised for its users' passwords — but also to use it as a watering hole. You thought the Twitter, Facebook, Apple, Microsoft watering hole attack compromises via the iPhone Dev SDK forum was bad? Well, I think that would be nothing compared to the kind of damage that could be done via NASDAQ."
Image source:

Given that multiple large Internet companies were compromised via a watering hole attack on a FORUM back in Febuary — I was really quite amazed that folks weren't just a bit more curious about the NASDAQ community forum hack. (Because it was vacation season?) Was NASDAQ's forum used to host a watering hole attack?

Then this week's Goldman Sachs options error and NASDAQ outage

…and now I'd really like to see some confirmation that there wasn't a watering hole!

How about you?

Post by — @Sean


Thursday, August 22, 2013

Android Malware goes SMTP Posted by SecResponse @ 07:12 GMT

Before we get to thinking that nothing is new under the Android malware sun, we get a small, but quite interesting surprise. An android malware that connects to SMTP servers to send an e-mail.

Other than the SMTP-usage, the malware is pretty vanilla. Upon installation, the application asks the user to activate device administrator to stay persistent in the mobile device. This threat does not add any significant icons in the application menu, rather the user would need to check the Application Manager before finding out that there is an app masquerading as "Google Service".

mobile1 (138k image)

After installation, the application will collect sensitive user information such as phone number, incoming and outgoing SMS, and recorded audio to an email address. Then it makes use of SMTP servers, particularly, and to send the stolen data. I smell something very China-ish here…

code (169k image)

Below is a screenshot of the threat's attempt to connect to an SMTP server:

smtp (161k image)

This threat was found to be usually downloaded in third party Android markets or malicious websites. We first saw this malware family a month ago, but has been active since. We're already detecting this threat as Trojan:Android/SMSAgent.C.

msms_android (59k image)

Sha1: f04dff1859c9cf43260020b1e4dbbe979fe1bcc1

Post by — Swee Lai


Wednesday, August 21, 2013

We Need To Talk, Google Posted by Sean @ 11:42 GMT

Dear Google — please don't take this the wrong way, but, well… I think you suck.

This hasn't always been the case. Once upon a time, I actually enjoyed using Google services.


But today — well, today I simply wanted to upload an old video to our Labs YouTube channel. Sadly, just after signing in, and before I could upload anything, I was accosted by a "request" to link the YouTube channel to a Google+ profile. And before I knew it — one Mr. "fslabs" had created a Google+ profile. Not great!

Here's a thought: perhaps you should first ask if the YouTube account is an "individual" BEFORE you try linking it to a G+ profile?

Because you didn't ask, "I" ended up with a new profile(s) for which "I" have no use. And undoing (deleting) the linkage from the "individual" profile to the "group" channel ended up disabling the channel. Then I needed to spend some time re-enabling and restoring it. And then I needed to reset the privacy settings for all of the existing videos.

Felt like extortion. (Evil.)

Now, I'm sure you have good reasons for all of this G+ "promotion" crap. And probably some bad ones, too.

I'm certain I made mistakes. I'm sure I missed some small cancel button during the process. And I think I located the "unlink" option in the YouTube settings somewhere after I had already disabled the channel by killing the G+ profile.

But you know what?

I really don't care anymore. I've had it with Google et al. I'll be looking into alternatives. (Vimeo, Dailymotion, et cetera.)

And my personal Google account? It's underused, but I've kept it around because it's "free".

No more. I'm done.

It's no longer worth the hassle.

And to be clear, it has nothing to do with recent allegations that a person has no legitimate expectation of privacy when using Gmail.

And it has nothing to do with any sort of concerns that Google provides the NSA direct access to its servers.

(Google's security engineers can be trusted, I think.)

My decision to delete my Google account is purely a matter of me being fed up of Google attempting to drive me into yet another unwanted "social" network, just for the sake of its bloody search engine rankings and associated advertising machinery.

It's not me.

It's you.


Be seeing you,

Security Advisor, F-Secure Labs


Friday, August 16, 2013

Recommend: CERT Polska's ZeuS P2P Report Posted by Sean @ 11:25 GMT

For those of you interested in excellent banking trojan analysis…

Check out CERT Polska's report on the Gameover version of ZeuS:

CERT Polska, ZeuS-P2P internals – understanding the mechanics: a technical report

ZeuS-P2P internals – understanding the mechanics: a technical report


Thursday, August 15, 2013

Blocking "MiniDuke" Type Threats Using Exploit Interception Posted by Sean @ 11:52 GMT

MiniDuke, a cleverly coded Adobe PDF exploit, made news back in February — it was used to target several European governments.

Now, more than ever, exploit prevention is a critical layer of defense. And that's why F-Secure Labs analysts such as Timo Hirvonen have become such experts on exploits — so our technology can be made better (with developers such as Jose Perez).

Here's a screenshot of our current DeepGuard™ behavioral engine tech vs. MiniDuke:

Miniduke vs F-Secure Internet Security 2014

Blocked — proactively, without signature-based scanning or back end heuristics.


Exploit interception is one of our primary goals — because exploits are the front end of an attack platform.

More about our technology, and a case study of the ZeroAccess bot, is available from our whitepaper…

F-Secure DeepGuard: Proactive on-host protection against new and emerging threats

DeepGuard, Behavioral Protection, Exploit Interception


Wednesday, August 14, 2013

Browlock Ransomware Targets New Countries Posted by SecResponse @ 15:30 GMT

In the past few weeks we have been following the relatively new "police ransomware" family we call Trojan:HTML/Browlock. This ransomware is very simple, and just uses the browser to display a lock screen demanding the victim to pay a fake fine and plays tricks to prevent closing the browser tab.

Since we first saw it targeting folks in the US, Canada, and UK, we have been expecting it to expand to new countries. As expected, users in other regions are now seeing a localized message from their local law enforcement.

Here are the lock screens for Browlock as seen from different countries:

Browlock in UK

Browlock in AU

Browlock in NL

Browlock in ES

Almost all the ransomware families seem to have great difficulties in finding a translator to create localized lock pages with good quality. Readers that pay close attention (okay, any attention is probably enough) will notice some slight problems with the German localization:

Browlock in DE

For Canadians, the design of the lock screen has stayed roughly the same:

Latest Browlock in CA

We did notice that the fine has dropped from 250 CAD to 150 CAD compared to a previous lock screen below. It seems that in today's economy, even ransomware victims can't be expected to pay up such high prices.

Old Browlock in CA

While the domain names change, all of the lock screens are currently being hosted on a single server in St. Petersburg:

Browlock Server

We detect the lock screen as Trojan:HTML/Browlock.A.

Post by — Antti and Karmina


Java - The Gift That Keeps On Giving Posted by Timo @ 08:54 GMT

I bet vulnerability researchers love Java. It seems that especially the 2D sub-component of Java has felt their love lately: since the out-of-band patch for CVE-2013-0809 and CVE-2013-1493 in March 2013, 2D has been the most patched sub-component with a total of 18 fixed vulnerabilities. Fortunately, CVE-2013-1493 has been the only one of these exploited in the wild.

On Monday August 12th, a link to yet another Java exploit was shared:


Unlike the Tweet says, the exploit is not 0day. It exploits CVE-2013-2465, yet another vulnerability in the 2D sub-component. The issue affects Java 7 versions up to update 21 but it has been patched in the latest version, Java 7 update 25. We have released a detection for the exploit (Exploit:Java/CVE-2013-2465.A) but so far we have not seen in the wild.

Even though CVE-2013-2465 is not exploited in the wild (yet), another Java vulnerability affecting Java 7 update 21 is: CVE-2013-2460. The exploit was introduced in Private exploit kit in July and since then we have seen it also in Sweet Orange exploit kit. In addition, Kaspersky has spotted the vulnerability being exploited in watering hole attacks (the JAR file mentioned in the post exploits CVE-2013-2460, not CVE-2012-4681).

To sum up, it does make a difference whether you run Java 7 update 25 or Java 7 update 21. If uninstalling Java or at least disabling the browser plugin is not an option for you, make sure you have the latest version of Java installed.

Grumpy cat

Post by — @Timo

Updated to add: …and giving and giving.


Tuesday, August 13, 2013

Are There Good Hackers? Posted by Sean @ 11:40 GMT

Guy Raz, host of NPR's TED Radio Hour, recently caught up with Mikko while he was attending DEFCON.

Mikko's DEFCON recommendation: don't trust anybody — pen and pad work very well.


Guy interviewed Mikko as part of last week's TRH episode: The Hackers

And Mikko's was the first segment: Are There Good Hackers? …which includes a retelling of Mikko's journey to Lahore, Pakistan, to find the authors of the first PC virus "Brain".

A journey that you can see for yourself via YouTube:


Monday, August 12, 2013

Blaster - 3654 Days Later Posted by Sean @ 10:30 GMT

Yesterday was Blaster's 10th anniversary. Do you remember where you were on August 11, 2003?

Mikko remembers (and he still has the related press release [PDF]).

World's First RPC Worm

Numerous organizations, including several banks and airlines, suffered serious disruptions because of Blaster which caused affected computers to reboot continuously. Can you imagine the difficulties that would cause today?

Vanity Fair's The Code Warrior, circa January 2004, offers a very entertaining long read on the topic.


Friday, August 9, 2013

Encrypted Communications Service Goes Silent Posted by Sean @ 11:44 GMT

A privacy focused e-mail service used by Edward Snowden has shuttered its doors.

According to the owner and operator, Ladar Levison:

"I wish that I could legally share with you the events that led to my decision."

His notification also includes the following words:

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

That's a strong statement.

So what's this all about? And why can't Levison share the details regarding his decision to shut down Lavabit? Well, his inability to talk is probably either due to a warrant or a national security letter (NSL). Here's the thing about an NSL — a lifetime gag-order comes attached.

There are only three organizations that have ever won the right to say they received an NSL of the hundreds of thousands issued.

Nicholas Merrill is one such individual, and he spoke about it to WNYC's Bob Garfield in 2011:

National Security Letters and Gag Orders

Brewster Kahle, the founder of the (awesome) nonprofit Internet Archive, is another.

New Yorker: What It’s Like to Get a National-Security Letter

Lavabit's closure is having a chilling effect. Another encrypted communications company, Silent Circle, has followed Lavabit's lead.

Ars Technica: After Lavabit shutdown, another encrypted e-mail service closes


Wednesday, August 7, 2013

On Fake "F-Secure Security Pack" Malicious Browser Extension Posted by Antti @ 09:19 GMT

We have been following a malicious browser extension that claims to have been developed by various different software companies.

The extension installs itself into the browser and makes posts to social media sites such as Twitter, Facebook and Google+ on the user's behalf. One of the variants installs itself as "F-Secure Security Pack" — and trust us — it's definitely not coming from us.

The installer for this malware is commonly a self-extracting Winrar executable, although samples come packed in various other ways as well. We can take a peek at the contents of one of the samples:

Contents of malware installer

The contents give a hint to what the malware installer contains: an extension for both Firefox and Chrome (the .xpi and .crx files).

The executables for this malware are signed using a certificate assigned to a company called "VIDEO TECH PRODUCOES LTDA":

Certificate information

It's unclear at this point if the certificate has been stolen or if there is some other connection between the company and the malware samples.

The installer registers an extension with the name of "F-Secure Security Pack" for Chrome:


The same happens for the Firefox browser, with slightly different registration details:


Depending on the targeted region, the malware uses different brands as the name of the malicious extension. For example, we've seen "Chrome Service Pack" for China, Dr. Web for France and Kingsoft for Brazil:




The extension itself is quite simple. It fetches an update from a command and control server and uses the information in this update to post to different social media sites. The comments in the source code are in Portuguese, giving also some hints to the origin of the malware:


Here's an example of the update information the malware fetches from the command and control servers for Brazilian users:


One of the settings automatically retweets a message. This setting was not enabled at the time of writing, but the message to be retweeted is still visible. We can see that this particular message has over 5000 retweets:


F-Secure detects this malware as Trojan.FBSuper or various other heuristic detection names, depending on the variant.

SHA-1: 6287b03f038545a668ba20df773f6599c1eb45a2


Tuesday, August 6, 2013

Are Apple developers on the hacker hit list? Posted by SuGim @ 09:27 GMT

Note: this post is condensed from an article written for Digital New Asia.

Apple's developer website for its Mac, iPhone and iPad products was taken offline about two weeks ago; shortly afterwards, Apple released a statement saying that the site had been suffered an intrusion.

Soon after, a grey hat Turkish security researcher, Ibrahim Balic, in London claimed responsibility for the intrusion in a video posted on his YouTube channel, in which he claimed that he had filed bug reports prior to the takedown of the website.

Although there has been no further comments or statements from Apple about Balic's claim, Apple does seem to be taking the occurrence seriously and is currently still working restoring their web services.

Now the issue is — why are developers, particularly iOS developers, being targeted now more than ever? The intrusion on the developer site, though allegedly done with benign intent, brings greater attention to the importance of securing developer accounts, and the potential consequences if such accounts are compromised and misused.

This is in light of an attack earlier this year on the popular iOS Mobile developers' forum iPhoneDevSDK, which successfully garnered victims from the big tech companies, like Apple, Facebook and Twitter and so on.

Notice from IPhoneDevSDK Admin

This was a textbook watering hole attack, where a hacker intending to attack specific users first compromises a site those users are likely to visit, in order to gather information or access they can later use for a more direct attack against the targets — in this case, the developers who were visiting the site.

Gaining access an application developers' personal information, which may be used later to compromise their developer accounts, could lead to great harm for users who trust the developer's products and reputation, particularly on the iOS platform.

Unlike Google's Play store or other app stores for the Android platform, penetrating and uploading a tainted application into Apple's Apps store has long been a challenge for malware authors, particularly as Apple's strict review policies has successfully prevented much rogue application activity in the 6 years since the first iPhone appeared.

To get around these barriers, malware authors are now targeting the developers themselves. Their real aim — to gain access to the developer's accounts on the App stores, from which they can essentially hijack the developer's reputation and products to push their own wares.

Full article: Are Apple developers on the hacker hit list? — by Su Gim Goh


Monday, August 5, 2013

Can you find Rebecca Taylor? Posted by Sean @ 12:47 GMT

Channel 4 (a U.K. broadcaster) News has launched an experimental online identity project called: Data Baby. And the data baby's name is "Rebecca Taylor" — a very common name in the U.K. Channel 4 has issued a challenge: Can you find Rebecca Taylor?

The first clue on offer is Rebecca's e-mail:

Well, from that… it's easy to get this:

Rebecca Taylor's Facebook

And a Google Images search yields this (and more):

Rebecca Taylor?

Looks like an interesting challenge.



xkcd: The Mother of All Suspicious Files Posted by Sean @ 09:07 GMT

From xkcd:

The Mother of All Suspicious Files


Updated to add: explainer.