NEWS FROM THE LAB - September 2013


Monday, September 30, 2013

Privacy: a Core Finnish Value Posted by Sean @ 15:05 GMT

Enumerated rights are cool. And here's an enumeration we're particularly fond of…

The Constitution of Finland, Section 10 — The right to privacy

"Everyone's private life, honour and the sanctity of the home are guaranteed."

"The secrecy of correspondence, telephony and other confidential communications is inviolable."

The Constitution of Finland, Section 10, The right to privacy

And there's even more enumeration here…

Act on the Protection of Privacy in Electronic Communications

Act on the Protection of Privacy in Electronic Communications

Privacy — it's a core Finnish value. And central to everything we do here at F-Secure.


Thursday, September 26, 2013

New TDL Dropper Variants Exploit CVE-2013-3660 Posted by ThreatResearch @ 08:48 GMT

Recently, we been seeing a new breed of TDL variants going around. These variants look to be clones of the notorious TDL4 malware reported by Bitdefender Labs.

The new TDL dropper variants we saw (SHA1: abf99c02caa7bba786aecb18b314eac04373dc97) were caught on the client machine by DeepGuard, our HIPS technology (click the image below to embiggen). From the detection name, we can see that the variants are distributed by some exploit kits.

TDL4_clone_exploited_in_the_wild (295k image)

Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process's privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET's blog post, but with some minor updates.

Recap: TDL4 exploits the MS10-092 vulnerability in Microsoft Window's Task Scheduler service to elevate the malware's process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy:

TDL4_clone_ExploitingCVE_2013_3660 (30k image)

One of the notable differences between the new variants and classic TDL4 is the configuration file, which is embedded in the resource section of the dropper as RC4 encoded data:

TDL4_clone_config_ini (6k image)

This is hardly the first malware family to exploit CVE-2013-3660, but it is a neat demonstration of how fast malware authors take up publicly available exploit code - in this case, the exploit code went public three months ago.

Post by — Wayne


Tuesday, September 24, 2013

H1 2013 Threat Report Posted by Sean @ 06:57 GMT

Our H1 2013 Threat Report is now online:

F-Secure Threat Report H1 2013

You'll find it — as well as our previous reports — available for download: here.


Thursday, September 19, 2013

iOS 7 Security Prompts Posted by Sean @ 12:33 GMT

Apple's iOS 7 was released yesterday…

And it has some nice new security prompts:



If you come across more, Tweet them to @FSecure.


Wednesday, September 18, 2013

Vulnerability in IE Could Allow Remote Code Execution Posted by Sean @ 12:26 GMT

This is probably required reading if you're a Windows systems administrator of any sort: Microsoft Security Advisory (2887505).

Microsoft Security Advisory for CVE-2013-3893

All versions of Internet Explorer are affected.

Microsoft is currently aware of "a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9." The limited nature of attacks is very likely to change in the near future as exploit kit providers will now move to add support for an exploit based on the vulnerability. Our detection for such exploits is already in progress.

In the meantime, Microsoft has released a Fix it tool to mitigate potentially attacks until a patch is released.

Updated to add:

Our exploit detection based on this vulnerability has now been released.

Details: Exploit:HTML/CVE-2013-3893.A


Monday, September 16, 2013

September 23rd: Threat Report Webcast Posted by Sean @ 15:58 GMT

Join us September 23rd for a webcast based on our forthcoming Threat Report.

Join the event and other details.

Tweet your questions @mikko using the hashtag #WWPY.

If you don't have a Google account (like some of us) the webcast will be available after completion on YouTube.


Friday, September 13, 2013

Rootkit Cafe Posted by ThreatResearch @ 08:13 GMT

Have you ever wondered about the ads you might have seen being shown on the desktop or in the browser during web browsing sessions at Internet cafes? One of our Analysts, Wayne, certainly did.

He recently analyzed a sample (SHA1: c8c643df81df5f60d5cd8cf46cb3902c5f630e96) that gave him an interesting answer. The sample was a rootkit named in its code as LanEx, though we detect it as Rootkit:W32/Sfuzuan.A:

LanEx (55k image)

Wayne traced the sample back to an advertising company in China called 58wangwei that runs an affiliate program for cafe operators looking to maximize the profits from a constant stream of eyeballs staring at their PCs. Their solution? Display ads to the cafe users.

The marketing spiel on the advertising site mentions that " a single PC in the Internet Cafe operates 20 hours per day in average, excluding the PC idle time". While we don't have any statistics that would back that claim, very informal personal observation would seem to support it.

Anyway, interested cafe operators are directed to a webpage where they can download a software package (with the installer for the rootkit). The page includes a control panel to configure various functions in the rootkit, for example the default page it sets the web browser to. The various options available are all search engines almost exclusively targeted to mainland China. Each option has specified dollar amounts Ė for example, 26 yuan for 1000 unique visitors to one engine.

The operator then manually installs the package (which will then download the rootkit) on their computers and presto! They should be coining money right? Not quite - itís not all smooth sailing for the operators. At least one support forum (Chinese language only) has operators asking for more details about the package and griping about it causing BSOD on their machines:

LanEX_BSOD (427k image)


Most of the operators aren't actually aware what the rootkit is doing on their machines. The program is mainly aimed at displaying advertisements:

   •  Hide the processes belong to the advertising modules through SSDT hook
   •  Prevents the advertising modules processes from being terminated through SSDT hook
   •  Prevents access to certain webpages (based on the URLís IP address and port number) through NDIS hook

The control panel on the webpage where operators download the installer for the rootkit also include the option to select which processes they want to hide in addition to the ad module-related processes, which are hidden by default.

Technically, the most interesting part of the rootkit is that it uses an NDIS hook to filter all the HTTP request and response messages sent over the network. If a prohibited HTTP request is encountered, the packet is modified and a crafted HTML page is returned by the rootkit.

The HTML page is either a hidden iframe or HTTP 302 redirection that redirects the user's browser to a specified website:

lanex_redirection (107k image)

For users, the result of having the rootkit on a machine they're using is inescapable exposure to advertisements. They may also be redirected to unsolicited websites.

Though the rootkit is mainly directed at displaying ads, it isnít adware Ė it is still fully capable of performing far more malicious actions on the system. And it looks like even the Internet cafe operators donít always know quite what they've installed on their machines.


Wednesday, September 11, 2013

Post-Office Espionage Posted by Sean @ 16:20 GMT

A good working knowledge of history is crucial. Because context is everything.

Which is why those of you with any kind of interest in recent NSA/GCHQ revelations should read historian Jill Lepore's article:

The Prism, Jill Lepore

The Prism: Privacy in an age of publicity

Using poppy seeds, strands of hair, and grains of sand… and then mailing the letter to himself to figure out he was being spied on?

Sounds like Giuseppe Mazzini was the "hacker" of his day.


Tuesday, September 10, 2013

Limit Exposure to Facebook Friends of Friends Posted by Sean @ 09:48 GMT

Yesterday, Forbes reporter Kashmir Hill asked a question which has been on my mind for years:

Forbes, Kashmir Hill, Friend of a Friend

Why Doesn't Facebook Show You What A 'Friend of a Friend' Sees On Your Profile?

The question is in reference to Facebook's "View As" feature which can be used to audit your account. And the answer given is rather a surprise. According to Facebook's chief privacy officer Erin Egan: "We've never gotten feedback about that before."

Never?!? If that's true, I can only assume it's because they've never bothered to ask anybody.

I'm frequently asked this question when family and friends ask for Facebook advice: I can see stuff belonging to people I'm not friends with, what can they see on my timeline? And because Facebook lacks a complete set of auditing tools, I usually recommend a full reset with the "Limit Old Posts" option.

Facebook Settings, Limit Old Posts

The option resets all past timeline content to "Friends" only. At that point you don't need to audit, friends of friends will see nothing more than what is later made public. Limit Old Posts can be found via the Privacy Shortcuts icon and the See More Options link.

Just the other day, I was helping a neighbor setup a page for his Helsinki-based fudge business and it turned out that a large number of his photos were in an (iPhoto) album which was open to friends of friends. Given that there are pictures of his children in that album… the Limit Old Posts is a must.

Additional view as options would be very welcome, and Facebook should also consider a review page showing photos with people that can be seen by people other than friends.

Post by — Sean


Friday, September 6, 2013

Will the U.S. "Cyber Attack" Syria? Posted by Sean @ 12:51 GMT

In what is very surely a disturbing sign of the times…

We've been asked: should cyber weapons be included in a "measured military response" to Syria's use of chemical weapons?

Some think they should:

  •  Guest: U.S. should launch a cyberattack on Syria
  •  How the US Could Cyber Attack Syria, Too
  •  US may launch cyber attacks on Syria: Experts
  •  US likely to wage cyber attacks against Syria

Should. May. Likely?

We remain skeptical…

And if you are skeptical as well, may we recommend the following:

Cyber War Will Not Take Place


But don't just take our recommendation, at the very least, read this review:

Cyberwar Is Mostly Bunk by Ronald Bailey.


Thursday, September 5, 2013

EU Parliament Civil Liberties Committee on US Surveillance Posted by Sean @ 13:02 GMT

Now: the EU Parliament's Civil Liberties Committee starts the first of a series of hearings examining issues around US surveillance.

Here's the agenda for Session 1:


Broadcast link: Committee on Civil Liberties, Justice and Home Affairs


Wednesday, September 4, 2013

Whatever Happened to Facebook Likejacking? Posted by Sean @ 12:56 GMT

Back in 2010, Facebook likejacking (a social engineering technique of tricking people into posting a Facebook status update) was a trending problem. So, whatever happened to likejacking scams and spam? Well, Facebook beefed-up its security — and the trend significantly declined, at least when compared to peak 2010 numbers.

But you can't keep a good spammer down. Can't beat them? Join them.

Today, some of the same junk which was spread via likejacking… is now spread via Facebook Advertising.

Facebook Sponsors

The top middle thumbnail above is some kind of malformed egg. Typical click-bait.

The ad links to a Page with localized campaigns. Note the "Ca" and the "Fi".

Cooking Lessons 101

The landing page uses an "app" trick to automatically redirect to a spam campaign:

Work from home scheme

We're pretty sure such tricks are a violation of Facebook's ToS. But so far, Facebook hasn't reacted to the sample we sent them.


Some of the spam campaigns are not exactly "safe for work" depending on the source ads:

Jailbait ads

Also a concern: some of the ads appear to be linked to compromised websites. The spammers may not even be paying for these ads.

Are you judged by the company you keep?

That's probably a question legitimate brands with a Facebook presence should be asking themselves.