NEWS FROM THE LAB - September 2011


Friday, September 30, 2011

Trends: From Phishing to "Man-in-the-Middle" Phishing Posted by Sean @ 15:15 GMT

Here's how phishing methods are evolving based on our recent investigations.

E-mail Phishing

This message claims to be from Blizzard Entertainment.

Blizzard phishing

It attempts to phish the recipient by promising access to a game that's currently under development.

The language and grammar usage is good but not perfect.

Somewhat oddly — the e-mail address that's spoofed is


E-mail + Server Phishing

This message claims to be from Nordea Bank of Finland.

Nordea phishing

The language and grammar usage is terrible (it looks straight out of Google Translate).

The e-mail linked to an Apache server that hosted this login page:

Nordea phishing
(We sent an abuse report and the site was quickly shutdown.)

The fake netbank page asks for the customer's User ID and Code (a one-time password from a printed list).

This is the next page:

Nordea phishing

It asks for all of the customer's current set of Authorization Codes (one of several codes on a list that are randomly requested in order to complete a transaction).

All input is appended to a text file. In this example, the phisher has a limited window of opportunity to access the customer's account. If the customer attempts to access their real netbank account, they'll be prompted for the one-time password — making the phisher's information useless.


E-mail + Server + MitM Service

Here's a more advanced example that recently targeted two Finnish banks.

Osuuspankki phishing
Screenshot by Henry Hagnäs

The Finnish used by this message is not quite right, but it's generally better than most Finns actually use in e-mail.

In any case, the language and grammar usage is quite a bit better than the other phishing campaign.

The phishing server is more advanced as well. Once the customer enters their User ID and one-time password code, the server then attempts a real-time transaction (to take advantage of the limited window of opportunity).

This Man-in-the-Middle service asks the customer to wait for two minutes:

Ossuspankki, man-in-the-middle

And then the customer is asked for a particular confirmation code to complete the transaction:

Ossuspankki, man-in-the-middle

This e-mail + server + MitM service is more subtle and significantly more dangerous than our second example.

Our investigation discovered a similar domain registered for Spain's TLD (.es). We suspect numerous European banks are (or will be) targeted by Man-in-the-Middle phishing.


Thursday, September 29, 2011

Mikko's Google Zeitgeist Presentation Posted by Sean @ 14:06 GMT

Mikko spoke this week at Google Zeitgeist.

His topic of discussion — the three groups behind today's Internet threats: organized criminals, hacktivists, and nation states.

A video of his presentation is available here:


Tuesday, September 27, 2011

F-Secure ShareSafe Beta For Facebook Posted by Sean @ 14:53 GMT

Security applications and Facebook tend to mix together like oil and water.

Folks generally want to share when they're online — and not to worry about security. Many people don't use security tools if they prove to be too cumbersome.

Therefore, when attempting to develop a security application for Facebook… it had better not be boring. And that brings us to our new beta: F-Secure ShareSafe. The development team behind ShareSafe aims to build an entertaining Facebook app, with security benefits tagging along for the ride.

Here's a non-security use example: discovering popular links shared by the community.

top links

(You'll also earn badges by sharing via ShareSafe.)

Here's what your links will look like:


Besides discovering new links, earning badges, and having the comfort of mind that your own links have been vetted by F-Secure, beta users will also earn points that can be redeemed for stuff such as F-Secure Internet Security licenses.


Sounds pretty good, right? — Right.

Read about ShareSafe:
Give it a try:



Monday, September 26, 2011

Hackers to Release iTunes Song Today Posted by Sean @ 13:12 GMT

TeaMp0ison (the hacker group responsible for defacing RIM's BlackBerry blog back on August 9th) and members of Anonymous are set to release a music track today at 4:12 PM, British time, and are daring the music industry to censor it.

The group is making #OpCensorThis available via iTunes and YouTube.

It's taken a while for them to produce their song. They first published their intentions to do so back on August 11th.

Here's a a selected portion of the text:

"We are going to take youtube and iTunes by storm and flood the song into the world around us, with proceeds going to charities that are actively striving to change it. Once this hits the charts, radio stations will by law, have to play it. Will they thwart the law to continue making sheep out of the people?"

We're not exactly sure what law it is that requires radio stations to play OpCensorThis should it happen to "chart"…

It all sounds like a self-fulfilling prophecy to us. If the song fails to chart, TeaMp0ison will claim that it was censored by the music industry, giving them cause to target the music industry.

Somewhat ironically, when searching for additional details about OpCensorThis and iTunes, we kept hitting Google's bot checking captcha page.


Guess Google doesn't like the name?

It took TeaMp0ison over a month to complete their project. Now there may well be too much noise for their signal to get through… even without any "censorship".

Updated to add: And almost not surprisingly, TriCk of TeaMp0ison failed to deliver the goods — no song as promised. He supposedly fell asleep. We would link you to the Tweet ( in the screenshot above but it's been censored deleted.

Some hackers make for poor "revolutionaries". OpCensorThis may still be released, but frankly, we've lost interest at this point.


Friday, September 23, 2011

Mac Trojan Posing as a PDF File Posted by ThreatSolutions @ 04:09 GMT

We may have come across a Mac malware in the making. Detected as Trojan-Dropper:OSX/Revir.A, the malware disguises as a PDF file to trick user into triggering its payload.

It starts by dropping a PDF file embedded in its body and opens it in an attempt to prevent the user from noticing the ongoing suspicious activity.

The content of the document is taken from an article that was circulating late last year, and contains Chinese-language text related to political issues, which some users may find offensive.

This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a ".pdf.exe" extension and an accompanying PDF icon. The sample on our hands does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires.

The malware then proceeds to install a backdoor, Backdoor:OSX/Imuler.A, in the background. As of this writing, the C&C of the malware is just a bare Apache installation and is not capable of communicating with the backdoor yet. The domain was registered on March 21, 2011 and was last updated on May 21, 2011.

Since this malware sample was received from VirusTotal, we cannot exactly be sure about the method it uses to spread. The most probable way is sending via e-mail attachment. The author could be just testing the water to see if the sample is detected by different AV vendors.

Updated to add, MD5 hashes for the samples:

  •  Trojan-Dropper:OSX/Revir.A: fe4aefe0a416192a1a6916f8fc1ce484
  •  Trojan-Downloader:OSX/Revir.A: dfda0ddd62ac6089c6a35ed144ab528e
  •  Backdoor:OSX/Imuler.A: 22b1af87dc75a69804bcfe3f230d8c9d


Analysis by — Brod


Wednesday, September 21, 2011

Getting Hacked Out of Business Posted by Mikko @ 12:54 GMT

DigiNotar — the CA that got hacked — announced bankruptcy yesterday (read the release).

This is a very clear case where a company folded because it was hacked.

However, this is not the first time something similar has happened.

Earlier this year an Australian hosting provider called Distribute.IT was badly hacked and had no recoverable backups (read the full story). As a result, the company folded and the customer base was acquired by a competitor.

Diginotar, Cloud 9 Communications, Blue Frog, Distribute.IT

Victims of wide-spread and long-lasting distributed denial-of-service attacks include an ISP called Cloud 9 Communications (read more) and an antispam outfit called Blue Frog (Wikipedia entry). In effect, spammers forced Blue Frog out of business.

So does getting hacked always equal going out-of-business? Well, no, not always.

Sony's PlayStation Network was severely hacked earlier this year, but they're still in business. So what's the difference between Sony and these other guys? Well size and notoriety for one thing. Sony was so publicly humiliated that public opinion actually turned against the hackers, and gave Sony PSN some time to recover its footing.

DigiNotar, Distribute.IT, Cloud 9 and Blue Frog weren't big enough for all the details to come out during their troubles — and they failed to win public opinion (trust) as a result, and then they suffered the consequences. It's something that all smaller companies should take into consideration and prepare for.

Or else, they could be the next one to be forced out of business.

Updated to add: Submitted by a reader — Going out of business is not always the worst possible result of a hack. HyperVM software founder, K. T. Ligesh (a man with known personal issues), committed suicide after an attack on budget webhosting company VAserv was linked to apparent vulnerabilities in HyperVM software. The hackers later posted to that the attack was the result of VAserv's poor password management rather than any HyperVM vulnerabilities.


Tuesday, September 20, 2011

Is that URL for real? Posted by Mikko @ 08:23 GMT

Here's a fairly standard bank phishing e-mail, targeting a bank in India:

Reserve Bank of India phishing

Nice touch with that "Beware of Phishing" warning…

Let's look at the attached HTML file:

Reserve Bank of India phishing

You got to be kidding me? The page has redirection to That hostname can't possibly work…

Except it does.

Reserve Bank of India phishing

The redirection goes to And the front page of shows a fake "account suspended" message. Nice touch.

The phishing page looks like this:

Reserve Bank of India phishing

The ultimate target of the attack is to collect bank logins and credit card numbers:

Reserve Bank of India phishing

Thanks to Ravikiran for help.


Monday, September 19, 2011

Taking a Challenge Posted by Mikko @ 12:46 GMT

Have you looked at a geek challenges such as the t2 Challenge or but never got very far?

Now is your chance to see behind the scenes on how such a challenge is solved. The t2 Infosec Event has published a detailed write-up on how the 2011 Challenge was solved. Timo Teräs actually won a free ticket with his detailed write-up [PDF].

t2 challenge

Here's a link to the original challenge if you want to try it by yourself.


Would like to attend t2? Register here. (Act soon, space is limited, and registration closes on Oct 24th.)


Friday, September 16, 2011

What We Need Posted by Mikko @ 10:39 GMT

I love the Internet.

Think about everything it has brought us. Think about all the services we use, all the connectivity, all the entertainment, all the business, all the commerce.

And all these changes are happening right now. They are happening during our lifetimes.

I'm pretty sure that when they will be writing history books hundreds of years from now, our generation will be remembered as the generation that got online. We will be remembered as the generation that built something really and truly global.

But the Internet has problems too. It has very serious problems with security and privacy. I know, as I've spent my career fighting these problems.

So where are all the problems coming from? The biggest single source of problems are the organized criminal gangs. They distribute malware and hack websites, because they make money with their attacks. Many of them make millions.

There's multiple different ways to make money by infecting computers. For example, banking trojans, which will steal money from your online banking accounts when you do online banking. Another option is keyloggers. Keyloggers silently sit on your computer and they record everything you type. So when you do online purchases in online stores and type in your name and credit card details, they will be stolen by the criminals.

The amount of money online crime generates is significant and that means that the online criminals can actually afford to invest in their attacks. And they also use the global nature of Internet to their advantage. Now the criminals who weren't capable of reaching us before can reach us.

In most cases the criminals are never caught. In the vast majority of the online crime cases we don't even know which continent the attacks were coming from. Even if we are able to find online criminals quite often there is no outcome. The local police doesn't act or if they do, there's not enough evidence or for some reason we can't take them down. I wish it would be easier. Unfortunately it isn't.

As I said, I love the Internet, I do. Think about all the services we have online. Think about if they are taken away from you, if one day you don't actually have them.

I see beauty in the future of the Internet but I'm worried that we might not get to see that.

I'm worried that we are running into problems because of online crime. Online crime is the one thing that might take these things away from us.

I've spent my life defending the net and I do feel that if we don't fight online crime, we are running a risk of losing it all. We have to fight online crime globally, and we have to do it right now.

What we need is more global international law enforcement work to find online criminal gangs; these organized gangs that are making millions out of their attacks. We can run all the antiviruses and all the firewalls in the world and that wouldn't make a difference. Catching the criminals would.

Even more importantly, we have to find the people who are about to become part of this online world of crime, but haven't yet done it. We have to find the people with the skills but without the opportunities, and give them the opportunities to use their skills for good.

Mikko Hypponen

Excerpt from my TED Talk, transcription by Diane Wiegand for American Rhetoric.


Tuesday, September 13, 2011

Android SpyEye Spitmo Discovered Posted by Sean @ 15:22 GMT

It was going to happen sooner or later…

Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered.


The methodology sounds familiar for those familiar with ZeuS Mitmo and SpyEye Spitmo: infected computers inject a message into targeted netbanks prompting their customers to install software on their phones. Once Spitmo is installed, the SpyEye attacker is able to monitor incoming SMS and to steal MTAN authentication messages.

More from Trusteer: First SpyEye Attack on Android Mobile Platform now in the Wild


Monday, September 12, 2011

Man-in-the-Middle Attacks on Multiple Finnish Banks Posted by Sean @ 13:32 GMT

Multiple man-in-the-middle attacks are currently underway against at least two Finnish banks: Nordea and Osuuspankki.

Both banks use one time passwords and verification codes, so run of the mill phishing yields little of value to an attacker other than the account number. But in this case, the attacks are connected to a server-side man-in-the-middle attack that attempts to complete a banking transaction.

Here's an example of the fake Nordea site:

Nordea, man-in-the-middle

If the netbank customer enters their account ID and one-time passcode, they are asked to wait 2 minutes:

Nordea, man-in-the-middle

This gives the attack server time to configure a transfer and the customer is then asked for one of several confirmation codes:

Nordea, man-in-the-middle

And then, the customer is thanked for their time:

Nordea, man-in-the-middle

The process is initiated by an e-mail such as this:

Tämä on vuosittainen ilmoitus koskien Osuuspankki tiliäsi. Sinun tilisi pitää vahvistaa. Ole hyvä ja klikkaa alapuolella olevaa linkkiä ja seuraa ohjeita: Ystävällisesti, Osuuspankki
Screenshot by Henry Hagnäs

The e-mail targets Osuuspankki customers and is asking them to confirm their accounts as part of an annual review.

The phishing part of the attack is the same of the Nordea example, first the ID and passcode:

Ossuspankki, man-in-the-middle

Then the request to wait two minutes:

Ossuspankki, man-in-the-middle

And then the request for the confirmation code:

Ossuspankki, man-in-the-middle

Nordea has posted a warning for its customers to be on the lookout for e-mails in poorly written Finnish.

Unfortunately, the e-mail bait is rather short (and not everyone reads carefully enough), and once the customer clicks on the link, all the Finnish has been copied from the bank's own site. Better advice would be to never click on links from e-mails, but to go to the bank via a browser bookmark.

Our Browsing Protection toolbar blocks all currently known URLs being used, but the registered owner has at least 90 other domains so new variants could come online at any time.

F-Secure Browsing Protection

Hopefully the man-in-the-middle server, hosted in France, will be shutdown soon.


Saturday, September 10, 2011

T2 Challenge 2011 Posted by Mikko @ 08:35 GMT


The T2 Information Security conference is — once again — running a challenge. The first person to solve this year's puzzle wins free tickets to the event. In addition, the T2 Advisory Board will select another winner among the next ten correct answers based on the elegance of the answer.

The challenge is online right now.

This year you are facing a multistage Challenge. Each stage contains a hidden URL. Browse to the URL and input your e-mail address to receive a link to the next stage. Once you have solved all the stages, send a description of your solution to the email address you received in the last e-mail.

There's a live scoreboard tracking the progress of the competitors.

Download the first part of the challenge (it's an MP3 audio file) to start the challenge.

Updated to add: And the winner is… Ludvig Strigeus of µTorrent, ScummVM and Spotify fame!

According to (challenge designer) Timo Hirvonen, there was only four minutes between the 1st and 2nd complete solution.


Thursday, September 8, 2011

New Android Riskware Posted by ThreatSolutions @ 11:41 GMT

We have just encountered a number of Android riskware applications that target subscribers in the China region.

The suspect applications cover a variety of topics, including horoscopes, farm and pet games/info and the Chinese calendar, to name a few. Below is a screenshot of the permissions requested by one of these applications:

Riskware:Android/MobileTX.A Permissions

However, some of the applications do not even look like what they claim to be and eventually crash (probably bad programming):

Riskware:Android/MobileTX.A, Force close

Before the application crashes however (and usually right after its execution), it will retrieve the phone's International Mobile Subscriber Identity (IMSI) number, then attempts to connect to a remote site:


It checks if the phone's IMSI already exists (at time of writing, the remote sites were still accessible).

If the application isn't able to access the remote site, or the site somehow returns an error response, it will proceed to send out an SMS message.

The SMS sending component first determines the phone's subscriber ID, then depending on the retrieved information, it will select a different recipient number that it will send the message.

The SMS body contains the following format:

  •  99# [ IMSI ]#android#[ app_specific_string ]

As of the moment, we're still investigating the implications of the application's behavior; this may or may not be another example of fraudulent SMS registration for services. Nevertheless, the fact that it automatically sends out an SMS with the phone's IMSI ID without the user's awareness or consent is something that is not very desirable.

This is aside from the possible charges incurred and and unwanted identification of the phone's number (when the other party receives the message).

We will detect these applications as Riskware:Android/MobileTX.A.


Updated to add: MD5 hash for the sample used for the screenshots in this post:

  •   60adc37a086caa8f53f2ce6b4d2a0c0b

Other samples:

  •   99dc3f2f0b5cd593ca1a388b419d9b69
  •   8d01bb974e06222948ed46bf68330fa9
  •   fa737722fa4eae53c399ba9c7e46d06e
  •   3f69ee38aad7cbf718d2620ce70c76b2

Threat Solutions post by — Jessie, Irene and Yeh


Tuesday, September 6, 2011

Are you monitoring your business's Google Place? Posted by Sean @ 10:48 GMT

Running a small business can be a difficult job (particularly in today's economic climate). Competition can be very cut-throat… and dirty tricks are sometimes played by the unethical.

For example: In 2003, Saad Echouafni, owner of Orbit Communications (a satellite television reseller), paid for an Ohio botmaster (Richard Roby) to DDoS the websites of two competitors. In 2005, Roby, the botmaster, was convicted of computer crimes in US federal court. Investigation into Roby's crimes revealed a link to Echouafni and a co-conspirator (Paul Ashley) who also pleaded guilty to related crimes in 2005. Echouafni paid bail and fled US jurisdiction.

Reportedly, at the height of the DDoS attacks, Rapid Satellite and WeaKnees were offline for two weeks. It's quite an interesting tale and you can read more here: Feds bust DDoS 'Mafia', by Kevin Poulsen.

Wow, a DDoS Mafia, circa 2003. But what's the situation in 2011?

Well — it's a lot simpler. It's also more "social". And it isn't just about online business anymore.

Today, if you want to hurt a real-world competitor, they don't even need to have a website, you can just take them off the map.

Google Maps, that is.

F-Secure, Google Maps

Monday's New York Times has an interesting article on a trending issue: fraudulent "problem reporting" of Google Places.

It seems that numerous small business owners are discovering their businesses are "permanently closed".

And how does that happen?

Well, here's F-Secure's place on Google:

F-Secure, Google Places

Under the "more" menu is an option to "Report a problem".

One of the problems that can be reported is that the "Place is permanently closed."

Google Places, Report a Problem

A couple of submissions will cause the place to be "reported" as closed, but it doesn't take long before Google labels the place as "permanently closed". At that point, some business owners are finding it difficult to "re-open" their business.

And if you don't exist on Google, you might has well not exist in real life.

According to the New York Time's article, Macadamia Meadows Farm, a bed-and-breakfast in Naalehu, Hawaii suffered a significant decline in business for weeks before the owners discovered their change of status on Google.

Now that's a subtle (and ingenious) "denial of service" attack.

Google is apparently working to provide better tools and preventions (e-mail alerts), especially so after blogger Mike Blumenthal and a friend closed Google's HQ on August 15th.

In the meantime, if you haven't examined the details of your business's Google place, you might want to do so now. Google Maps is a very popular way for people to search for new businesses, especially via their mobile devices.

You don't want your business labeled as "closed" and end up losing out on potential new customers.


DigiNotar Hacker Comes Out Posted by Mikko @ 05:23 GMT

Almost from the beginning of the DigiNotar CA Disaster (report here), we had a reason to believe the case was connected to "ComodoGate" — the hacking of another Certificate Authority earlier this year, by an Iranian attacker.

This connection has now been confirmed.

After ComodoGate, the hacker — who called himself ComodoHacker — sent a series of messages via his Pastebin account. Then at the end of March 2011, it went silent. We've been keeping an eye on it, just in case the attacker will post something related to the Diginotar case.

And he just did.

Comodo Hacker

In his latest post, ComodoHacker claims that he is the one that hacked DigiNotar as well. He also claims he still has access to four other "high-profile" CAs and is still able to issue new rogue certificates (including code signing certificates).

As a proof to show that he really did infiltrate DigiNotar, he shares the domain administrator password of the CA network: Pr0d@dm1n. DigiNotar would be able to confirm if this was accurate or not.

The same hacker seems to be active on Twitter as well, under the nickname "ich sun" at @ichsunx2.


The Certificate Authority system is in bad shape indeed. For some answers on what we should do next, we recommend watching this video of Moxie Marlinspike's Black Hat 2011 talk.


Monday, September 5, 2011

DigiNotar and Facebook Post Updates Posted by Sean @ 16:08 GMT

We updated two of our recent posts today.

DigiNotar: It turns out that DigiNotar was hacked. A list of known domains for which the attacker managed to create fake certificates can be found at the end of this post.


Facebook: We were far too optimistic about Facebook's "Info accessible through your friends" [to applications] setting. Based on our initial reading of the proposed changes, it appeared that Facebook might be restricting access.

Instead, it appears they are expanding access to "anyone" (but not "everyone"). Clear, right?

Read more in the update at the end of this post.


Friday, September 2, 2011

20 Years at F-Secure Posted by Mikko @ 08:22 GMT

I got this yesterday.

20 years

So, I've worked 20 years at F-Secure.

I was 21 when I joined the company in 1991. At the time I was working on a Macintosh LC II and 386 PCs running MS-DOS 3.3 and Windows 3.0. A bit later we also had access to some NeXT systems, which were really cool, as they could talk and all that.

We were mostly fighting Mac viruses in 1991. You see, in late 1980s and early 1990s Apple was the most problematic virus platform. On PC side it was mostly boot sector viruses and simple COM file infectors at the time.

I've sometimes thought back about my career in computer security. When I was in high school, one of my best friends went on to become a construction engineer. Today he can go around and show what he's done to his children. "Look, Daddy built that bridge. And Daddy built that house."

I've worked very hard in computer security for the last 20 years. And there's nothing I can show for it. No bridges. No houses. I've done nothing.

But then I realized that in many ways the work we do in computer security is important in it's own way. Because our job is to help others.

People come to us, asking for help. Today's modern malware, trojans, backdoors and rootkits are way too complicated for any normal user to handle. They need our help for that. They come to us, asking for us to save their files. Their database. Their photos. Their memories, or their company.

That's what we do. We help others. And that, my friends, is a noble thing to do.

So thank you.


If you're interested, Darren Pauli from SC Magazine Australia wrote an article about some of the stuff I've run into during the last 20 years.

I'd like to thank current and past colleagues for the past 20 years. It has been privilege. Here's for the next 20 years!