NEWS FROM THE LAB - September 2012


Friday, September 28, 2012

CVE-2012-1535 and Nuclear Warheads Posted by Sean @ 13:30 GMT

Our corporate business team has an upcoming "software updater" feature in our Protection Service which they want to market. So they asked our lab analyst @TimoHirvonen to provide them with an example demonstrating the amount of time it takes to go from vulnerability to exploit.

Here's the timeline Timo came up regarding CVE-2012-1535:

  •  2012-08-14: Security update available for Adode Flash player, patches vulnerability CVE-2012-1535.
     (Security update available for Adobe Flash Player)
  •  2012-08-15: Microsoft Office Word documents with embedded Flash exploit for CVE-2012-1535 seen in the wild.
     (CVE-2012-1535: Adobe Flash being exploited in the wild, CVE-2012-1535 - 7 samples and info)
  •  2012-08-17: Exploit is added to Metasploit Framework — a public, open-source tool for developing and executing exploits.
     (Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit)

As you can see, it doesn't take much time at all to commoditize a vulnerability into an exploit.

And then Timo got curious (as he often does) and decided to research the exploit itself, Exploit:SWF/CVE-2012-1535.B.

He did some searching and found this Digital4rensics Blog post, which links to a VirusTotal report on a doc file called 110630_AWE Platinum Partners.doc. Symantec has a CVE-2012-1535 post that shows a censored screenshot of the e-mail (or at least similar) with the document attached. And Contagio has a list of multiple Word docs using the same exploit.

So Timo located a few examples:

CVE-2012-1535 Docs

110630_AWE Platinum Partners.doc turned out the be the most interesting. According to the Digital4rensics Blog linked to above, AWE Limited is an Australian Oil & Gas company. But that didn't sound right to Timo. He recognized the name Tybrin in one of the other docs, and connected it to Jacobs' TYBRIN Group, which does U.S. Department of Defense work.

So then, let's take a look at the decoy document dropped by 110630_AWE Platinum Partners.doc:

Working together to keep our world safe and secure by ensuring warheads are always available

"Working together to keep our world safe and secure by ensuring warheads are always available."


That doesn't sound related to an oil and gas company…

Searching on LinkedIn for people named in the decoy document lead to another organization called AWE, this time in UK:

Atomic Weapons Establishment

It appears that AWE stands for Atomic Weapons Establishment.

Regardless of the content of the files, we don't know who was targeted with this attack and we don't know who submitted these documents to VirusTotal.

SHA1 of 110630_AWE Platinum Partners.doc: 51bb2d536f07341e3131d070dd73f2c669dae78e
SHA1 of decoy: 0eb24ffa38e52e4a1e928deb90c77f8bc46a8594


Adobe Cert Used to Sign Malware Posted by Sean @ 11:53 GMT

Adobe's head of product security, Brad Arkin, published a very interesting post on Thursday.

As it turns out, one of Adobe's build servers was compromised and was used to create malicious files with Adobe's digital signature.

Inappropriate Use of Adobe Code Signing Certificate:

Inappropriate Use of Adobe Code Signing Certificate

According to accompanying Security Advisory, there are two "utilities" using three files. The Adobe signed versions are isolated to a single source according to Adobe, and our back end metrics concur. None of the Adobe signed files have been seen within our customer base.

There have been instances of the non-Adobe signed PwDump7.exe, but those are limited. You can probably tell what PwDump7.exe does based on its name, it steals password hashes from Windows OS. An associated file that PwDump7.exe uses is libeay32.dll, which is an OpenSSL library. And there are hundreds of thousands of pings of this (a legitimate clean file) in our back end.

The second malicious file is called myGeeksmail.dll, which Adobe believes to be an ISAPI filter.

There is no non-Adobe signed verison of this file in the wild.

The MD5 hash of myGeeksmail.dll with the Adobe signature removed is: 8EA2420013090077EA875B97D7D1FF07

Adobe will revoke the compromised certificate on October 4, and is currently issuing updates using a new digital certificate.

And on a final note: Perhaps this is a good moment to again recommend @jarnomn's CARO 2010 presentation: It's Signed, therefore it's Clean, right? [PDF] (Make sure to check out slide #25.)


Wednesday, September 26, 2012

Samsung TouchWiz Devices Vulnerable to Mischief Posted by Sean @ 11:58 GMT

Saw this tweet yesterday on Twitter:


The account is a parody… but the "tel:*2767*3855%23" is quite serious.

It's a reference to a "vulnerability" which exists on some versions of Samsung Android phones, those running Samsung's TouchWiz UI. (So, not Nexus.) And by vulnerability, we mean that some "genius" developed a feature to factory hard reset TouchWiz devices using an Unstructured Supplementary Service Data (USSD) code — without requiring a prompt from the user!

As such, there are numerous ways in which a device could be remotely targeted and prompted to run service commands.

The vulnerability was demonstrated by Ravi Borgaonkar last weekend at the Ekoparty security conference, which you can see here.

The good news is that Borgaonkar informed Samsung in June. Current versions of Galaxy S III firmware should not be vulnerable.

Remote wipe via iframe USSD trigger

Also good news: remote factory hard resets don't exactly have a profit motive. So this isn't something anybody will likely ever see in the wild. But still, if you have a Samsung running TouchWiz, make sure you update to the latest firmware.

Also, other vendor's phones could be subject to similar issues. One workaround to consider is a third-party dialer app.

Updated to add: The Verge reports that the remote wipe flaw is not limited to Samsung phones.

We have also found in our own tests that successful exploitation is browser dependent.

For example, our Mobile Security includes a Safe Browser which doesn't support the "tel:" method.

F-Secure Mobile Security, Safe Browser

So, a malicious tel: frame fails, rather than launching the phone's dialer.

Also, tel: appears to be unsupported by Chrome for Android.


Tuesday, September 25, 2012

A View Inside Our KUL Lab Posted by Sean @ 11:30 GMT

Here's an iOS 6 panorama view of our lab in Kuala Lumpur (Malaysia) as taken by analyst @raufridzuan, sometime around 6:45 PM.

F-Secure Labs, Kuala Lumpur
Click image to embiggen.

Looks to be at least four people there. Long day… and they're probably still there… two hours later.

Good home, guys.


Monday, September 24, 2012

Backdoor:OSX/Imuler.B No Likes Wireshark Posted by Sean @ 14:25 GMT

A new variant of Mac malware — Imuler.B — has recently surfaced. It's pretty much the same as Backdoor:OSX/Imuler.A, but with small changes and code optimizations. The current C&C server is

One interesting new function: Imuler.B exits if Wireshark is found.

Imuler.B, Wireshark exit

Imuler is thought to be targeting Tibetan rights activists.

In other Mac related news: our Broderick Aquilino will be giving a presentation this Thursday at VB2012 on Flashback OS X malware.


Friday, September 21, 2012

It's Out of Cycle Patch Friday Posted by Sean @ 14:23 GMT

As you probably know by now, there's a critical vulnerability in several versions of Microsoft's Internet Explorer.

Microsoft Security Advisory (2757760)
Microsoft Security Advisory (2757760)

Microsoft has previously released a "Fix it".

And today (September 21) at 10:00 AM Pacific Time, Microsoft will release a security update. As in an out of cycle patch.

So… it's unscheduled patch Friday, folks. (Don't hold your breath this will be deployed by IT before the weekend.)

In the meantime, German authorities have recommended using an alternative browser.

We would add this: why aren't you already using multiple browsers? They're FREE! Heck, download them all, collect them with your friends, and configure them for particular tasks! We routinely use three browsers during our workday. One is limited to our Intra and is all but crippled for Internet use. And the others have a variety of plugin configurations and privacy settings.

If you (and your organization) are still using just ONE browser — just what are you waiting for? A budget?


Thursday, September 20, 2012

The United States of ZeroAccess Posted by Sean @ 12:41 GMT

Monday's post included a screenshot of the ZeroAccess botnet as visualized in Google Earth. Well, we've finished cleaning up the KML file which now includes 139,447 bot locations based on IP addresses associated with approximately 2,600 samples.

ZeroAccess is a very large botnet and there are millions of infections globally.

Here's the USA:

ZeroAccess, USA
Click the image above for a larger view.

Here's Europe:

ZeroAccess, Europe
Click the image above for a larger view.

And here's a zip file (1.8MB) containing with the csv/kml files so you can examine the data for yourself.

Analysis and data extraction by — Marko and Wayne


Tuesday, September 18, 2012

Internet Explorer Zero-Day and Safe Browsing Posted by Karmina @ 14:36 GMT

The people behind the Java zero-day CVE-2012-4681 have been busy. It was only a few weeks ago that the Java vulnerability was made public and now they have again discovered a hole in Internet Explorer versions 6, 7, 8 and 9.

A code exploiting this vulnerability has been discovered in the wild wherein the malicious webpage loads a flash file that causes a heap spray to load another file. After which this other file will check for the exploitable IE versions and trigger the vulnerability which leads to the download of a malicious payload. The exploitation is discussed here in detail.

Microsoft has responded and released an advisory for this. However, they did not yet specify an ETA for the fix.

We have released these detections for samples related to the exploit that targets this vulnerability:


However, given that the code is already very visible as there's now a metasploit module, we strongly suggest to not solely rely on those detections but to also be vigilant in further protecting yourselves from other possible implementations. It used to be that when it's IE and zero-day, all the alarm bells sound off and the administrators helplessly panic at a possible outbreak that may be caused by an exploitation. However, times have changed and there are now more options out there for anyone. While the vulnerability has not yet been patched, please use a different browser. You can take a pick from Chrome, Firefox or Internet Explorer 10 for now.

IE 10 is not affected with this vulnerability.


Monday, September 17, 2012

ZeroAccess: We're Gonna Need a Bigger Planet Posted by Sean @ 15:08 GMT

Some botnets are so big… you can see them from space (or at least, Google Earth).

Here's what the ZeroAccess botnet looks like in Europe:

ZeroAccess, as seen from space
Click image for an expanded view (1680x1030).

More to follow — just as soon as we scare up some additional RAM to render the more than 140,000 unique IP address that we've discovered thus far.


Thursday, September 13, 2012

Cosmo The Hacker God Posted by Sean @ 15:53 GMT

In early August, Gadget Lab writer, Mat Honan, experienced an "epic hacking". His own.

  •  How Apple and Amazon Security Flaws Led to My Epic Hacking

Mat's iPhone, Mac, and Google account were obliterated — and all because the hackers wanted access to his three character (@mat) Twitter account. (YouTube: Our thoughts on the hacking of @mat.)

It took considerable effort (and cost!) to recover Mat's data:

  •  How I Resurrected My Digital Life After an Epic Hacking
  •  How DriveSavers Got My Data Back

Naturally, Mat has developed a strong interest in the types of social engineering methods which were used to "hack" his accounts. And a member of one of this year's most infamous hacker gangs, UGNazi (@UG) contacted @mikko to offer his assistance.


Which brings us to Mat Honan's latest story:

  •  Cosmo, the Hacker 'God' Who Fell to Earth

Read it.

Quote: "The only thing I am certain of is that online security is an illusion."

Before reading, we felt more or less comfortable that all of our eggs weren't exposed in just one basket. But now, after having read this story… well, now perhaps it's time to track down and delete some of our older underused eggs (accounts).


Slapper Posted by Mikko @ 08:52 GMT

Ten years ago, one of the largest Linux worm outbreaks was underway. Known as Slapper, the worm infected Linux machines via an OpenSSL vulnerability. Infected Linux servers were organized into a P2P network which could then be used to launch DDoS attacks.


Although Slapper was not the first Linux worm (at least ADMworm and Ramen were found before it), it was the biggest case of its time. We spent quite a bit of time analyzing the case. In the end, we infiltrated the P2P network and worked with CERTs around the world to bring it down.

Global Slapper Information Center

In 2002, Linux wasn't as popular as it is today. In 2012, most web servers are running on various Linux distributions. Linux versions are the most common OS in embedded and factory automation systems. And of course, it's the most common operating system in smartphones.

Nevertheless, malware was not really a problem for Linux users for years and years.

But in the end, it was Android that became the Linux distribution that brought the malware problem to Linux world in large scale.


Wednesday, September 12, 2012

Revolutionary New "Anti-Fishing" Technology Posted by Sean @ 10:04 GMT

Take a look at this awesome "anti-fishing" tech we've developed:

F-Secure Lure

And it works great!



Friday, September 7, 2012

A Map of Gameover (P2P ZeuS) Variants #Italy Posted by Sean @ 12:32 GMT

Our back end automation began logging "Gameover" related IP addresses back in May. Gameover is the Peer-to-Peer variant of the ZeuS banking trojan. Last week, we took 3,300+ of the IPs and performed a GeoIP lookup on them.

And the results were quite intriguing!

View Larger Map

Download: GameoverIPs.kml

Italy accounted for nearly 10% of the total number of IP addresses:

Gameover P2P ZeuS, Italy

Italy, there, underneath all the caution icons…

Being curious about high number of per capita infections, we then searched the Web for additional research and discovered Brett Stone-Gross's excellent report at Dell SecureWorks.

His underreported (according to Brian Krebs) analysis more than confirms our own findings. Italy has a significant number of Gameover infections.

Gameover Infections by Country

Stone-Gross's report, The Lifecycle of Peer-to-Peer (Gameover) ZeuS, includes details on 678,000 unique Gameover bots, of which, 5.1% are Italian.

From the Gameover configuration file that our analysts recently obtained, we can see that there is an active Italian campaign underway at this time. The at sign (@) indicates bank sessions that Gameover should focus on, screen-capture on click.

  •  @
  •  @*
  •  @*
  •  @*
  •  @*
  •  @https://**
  •  @*
  •  @*
  •  @https://**

Also of notable interest are the Arabic banks listed within the configuration file.

For the CCNA's among you: Gameover communicates with its peers via UDP on randomly assigned (at installation) ports between 10,000 and 30,000. Such communication happens routinely every several seconds or so and are small, between 40 to 350 bytes. Larger communications happen via TCP. Monitoring for an extended length of time will probably reveal repeated IP addresses.

Our earlier speculation that Gameover's sophistication is evidence of the original ZeuS author's involvement is supported by Krebs on Security posts such as this one which suggests Slavik's continued activity after his supposed "retirement".


Analysis by — Marko and Mikko S.


Governments Recruiting Backdoor Authors #germany Posted by Mikko @ 12:17 GMT

Just couple of years ago, it would have been unthinkable that governments would be openly recruiting trojan and backdoor developers to work for them.

Yet, that's exactly what's happening now.

For a fresh example, here's an ad from the website of the German Federal Criminal Police Office (BKA)


They are looking for a developer. Let's take a closer look at the job description


Ihre Aufgabe: Mitarbeit bei der Softwareentwicklung und -pflege zur Schaffung der technischkriminaltaktischen Voraussetzungen zum verdeckten polizeilichen Zugriff auf entfernte Rechnersysteme

Translated to English:
Your task: Contribute to the development and maintenance of software to provide covert police access to remote computing systems

This isn't new: We know that German Government has been using trojans against their own citizens before. However, they used to buy their trojans. Now it looks like they are developing their own.


Wednesday, September 5, 2012

World at 2022 Posted by Mikko @ 22:34 GMT

Tom Scott has a pretty accurate prediction of what the World will look like in 2022.



Gameover ZeuS Posted by ThreatResearch @ 11:41 GMT

Excerpted from from our Threat Report H1 2012:

In the last year ZeuS has separated into more than one separately developed crimeware families after the source code for version was leaked. An interesting development is a peer-to-peer version of ZeuS, which has been dubbed "Gameover".

The Gameover peer-to-peer (P2P) version was the second ZeuS derivative to appear in the wild and uses a peer-to-peer network to fetch configuration files and updates from other infected computers. The extensive changes incorporated into the derivative focus almost exclusively on the configuration file, and appear to be aimed at hindering retrieval and analysis. Many of the changes are to code sections that have been unaltered for years, such as the binary structure and compression method, which has not changed since 2008 (version 1.2).

The date this version was released to the public can be estimated from the registration data for the domains created by its Domain Generation Algorithm (DGA). The trojan uses these domains as "backup servers" if it cannot connect to other machines on the P2P network. As the first domain registration occurred on September 5th 2011, the trojan was likely let loose close to that date. These backup servers only host another list of infected machines from which the trojan could retrieve the actual configuration file. This backup system means that the configuration file is never stored on an external web server, but is handled entirely within the botnet itself.

All analyzed P2P samples have contained the same RSA public key used to check the digital signatures of incoming files.

Other botnet specific encryption keys have also been the same. We conclude that the P2P version must therefore be a private one and the kit used to create the trojans has not been resold further. This also means that all of these trojans link to the same botnet, which is controlled by a single entity. Based on the extensive changes and relatively short time it took for this version to appear after the source code leak, it is probable that the P2P version was not created by an outsider working from the leaked code. It is a logical, carefully crafted evolution of the ZeuS code and could perhaps even be called ZeuS 3. While there is no way to identify its author, it is certainly plausible that it is the same person who was behind the original ZeuS 2.

ZeuS Distribution, April - May2012

Download the full Threat Report from here.


Tuesday, September 4, 2012

Perfecting the Fake - Android Edition Posted by Karmina @ 14:07 GMT

When fake AVs used to take the limelight, their user interface started from pretty-crappy-and-obviously-rogue-AV and ended up with a very convincing design. It took a while for the miscreants to get there, but they really poured some work in an attempt to perfect the design in order to get a wider victim-base.

It looks like the websites for fake android applications are taking the same road. For quite some time, they have been using the same website layout template. Examples of the latest applications they mimic are: Android Office, Winamp, Doodle Jump, DrWeb, Mass Effect, and Nova 3.


However, that trend could be changing. We have already seen some fake applications that dropped the template act altogether in order to create a more polished design.


Say, for example, this Chrome and fake Chrome websites. Without the word fake, would you be able to spot the difference?


They are getting more and more convincing. It makes one wonder what the look and feel of these websites are going to be in a few months time.

It does not mean that if it looks pretty good, it is good. In the Android world one has to be wary and careful before installing anything on their devices.

We are detecting the malicious applications from these sites under the Trojan:Android/Fakeinst family. In addition to that, our Mobile Security customers are prevented from accessing such malicious websites by its Browsing Protection feature.


Monday, September 3, 2012

Tips For Java Junkies Posted by Sean @ 19:11 GMT

So, according to our recent poll, only 12% of you don't have Java Runtime Environment (JRE) installed. And the rest of you (88%) are Java junkies to one degree or another.

Java Poll

Okay, well, for the 41% of you that have Java installed and also have browser plugins enabled, we hope you're at least using Java via Google Chrome, which prompts the user for permissions each time it comes across Java.

Chrome, Java needs your permission to run

Are you a Firefox user? Perhaps Plugins Toggler, an extension by Trinh Nguyen will encourage you to disable Java in your browser.

Firefox extension, Plugins Toggler

It's a very simple and easy to use toolbar button that lets you open and "toggle" any installed plugins. So then you could leave Java disabled by default, but enable it when needed without having to dig through options menus.

Plugins Toggler

(A dedicated Java toggler button extension would be nice. Hint, hint.)

If you're now tempted to limit your Java plugins, why stop there? Why not inhibit all of your plugins? (As in Adobe Flash.)

Google Chrome includes an option for "Click to play" in Content settings (chrome://chrome/settings/content).

Chrome, Settings, Content, Plug-ins

Firefox introduced its own click to play options in version 14, but you have to open about:config to enable. And you can whitelist sites, but not from a convenient central location as in Chrome. But then… it's still a beta feature in Firefox, so what can one expect.

Firefox, plugins.click_to_play

Not perfect, but pretty good.

Just one final thought on Java: if you're going to remain among the majority that keep it installed on your primary computer, do also remember that Java (as well as other plugins) can be invoked from applications with banner ads.

Applications such as Spotify which suffered a compromise and attack via its third-party banner ads.

Update: Ask and you shall receive. A reader has suggested Doug G's QuickJava for a Java toggle button. Thanks!

Firefox Extension, QuickJava


Recommended TEDTalk: Behind the Great Firewall of China Posted by Sean @ 16:53 GMT

A few weeks ago, we recommended some audio reports on Chinese Microblogging and censorship.

Today we discovered this related, and very entertaining, TEDTalk by Michael Anti (aka Jing Zhao):

Behind the Great Firewall of China


On the International Law Applicable to Cyber Warfare Posted by Sean @ 15:29 GMT

The NATO Cooperative Cyber Defence Centre of Excellence (an independent "International Group of Experts") has published a draft of its not so light reading titled: The Tallinn Manual on the International Law Applicable to Cyber Warfare.

It's well worth your time if you're at all interested in how existing international law applies to cyber conflicts, something the CCD COE refers to as a "new" form of warfare.

The Tallinn Manual on the International Law Applicable to Cyber Warfare

Rule 30: Definition of Cyber Attack

The Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 30

Rule 66: Cyber Espionage

The Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 66

Hat tip to @lferette (via @BrianHonan).