NEWS FROM THE LAB - September 2014


Friday, September 26, 2014

Are malware authors targeting people via marketing services? Posted by Jarno @ 11:38 GMT

We spotted an interesting case of a person complaining about e-mail malware with social engineering content which hits home almost too well, and decided to investigate a bit.

The person had been talking to his friend about possibly booking tickets to San Francisco in near future. And 6 hours after the phone call he got an e-mail about an electronic plane ticket to San Francisco with an attachment. The person was cautious enough not to touch the attachment, which was a good decision, as in our analysis it was identified as a variant of Trojan.Krypt.AU.

This may be just a case of mass spammed malware and with social engineering text which hit this particular user at just exactly the right moment. But when we checked our sample collection, there was only 1250 instances of related malware, which would indicate that this particular malware is not being spammed to large audiences. And thus possibilities of getting exactly the right hit are very small.

Over the last year providers of targeted advertising have become a lot better at profiling users. For example, when I have been browsing for flight or hotel information. I have started to receive e-mail about flight and hotel offers in that particular destination from Trip advisor and other companies. Of course in order to experience this one has to have Freedome disabled, so that I can be tracked, but that is the price of wanting to experience the net like a regular user.

So this case looks very much like some targeted advertising services were misused for victim discovery by malware authors. We have seen advertising misused a lot with search engines, but this is the first case where we have indications that e-mail advertising services would be used in similar manner.

So far there is no proof the victim selection was done by abusing targeting profiling, and if profiling was used, was it based on phone call analysis. Perhaps the person searched for something which provided a match for profilers. But this is an interesting case and we will be keeping an eye out for future developments.

Fake Delta e-mail

Post by — Jarno


Thursday, September 25, 2014

BlackEnergy 3: An Intermediate Persistent Threat Posted by Sean @ 16:50 GMT

We have a new white paper available.

BlackEnergy & Quedagh: The convergence of crimeware and APT attacks

The convergence of crimeware and APT attacks

The paper's author, Broderick Aquilino, first wrote about BlackEnergy in June:

  •  BlackEnergy Rootkit, Sort Of
  •  Beware BlackEnergy If Involved In Europe/Ukraine Diplomacy

BlackEnergy is a kit with a long history and this new analysis is quite timely. In fact, malware researchers Robert Lipovsky and Anton Cherepanov from ESET will present a BlackEnergy paper at Virus Bulletin today.

Broderick's latest concurrent analysis includes details on a variant he has dubbed "BlackEnergy 3". Among Quedagh-BE's new features is support for proxy servers when connecting to C&Cs. In this case, the proxies are based in Ukraine and there is compelling evidence the Quedagh gang is targeting Ukrainian government organizations.

Who is behind BlackEnergy 3? Here are some theories:

1) The Kremlin is directly responsible and using a crimeware kit provides plausible deniability.
2) Useful idiots (as in purely political patriotic hacktivists).
3) Current or former cyber-criminals (aka privateers). BE3 is evolving to reflect "market" interests.
4) All of the above.
5) Perhaps all of this is wrong and it's the Dutch (it's not the Dutch).

Whomever is behind Quedagh's campaign, they're using what is (or at least was) generally considered to be a "commodity threat" to achieve "advanced persistent threat" goals. This appears to be a trend.

Why Quedagh?

Quedagh Merchant

Quedagh Merchant is the name of a ship which was captured by Captain William Kidd, an infamous 17th-century Scottish privateer.

"Privateering was a way of mobilizing armed ships and sailors without having to spend treasury resources or commit naval officers."

Our working theory is that the emergence of "intermediate persistent threats" such as BlackEnergy 3 is being driven by market forces and that cyber-criminals are expanding their capabilities into espionage and commoditized information warfare.


Tuesday, September 23, 2014

Notice: Freedome v2.0.1 Issue on iOS 8 Posted by Sean @ 13:45 GMT

If you (like me) have an Apple device running iOS 8 and use F-Secure Freedome, please avoid updating to version 2.0.1.


If you (like me) have already updated, you may see this after opening the app:

Freedome 2.0.1 on iOS 8

Do not "Remove Old VPN configurations" — just close the app. Version 2.0.1 should work with its existing configurations.

If you need to toggle Freedome on/off…

Use: Settings, General, VPN. Click the info button for your configuration and toggle "Connect On Demand".

iOS 8 VPN settings

You'll be limited to only the locations that you currently have installed. But the ones that you have should work based on my testing.

The developers have already submitted a fixed version (v2.0.2) to Apple earlier this morning which is pending Apple's review. More details are available from our community forum. Also, Freedome's Twitter account.

We are very sorry for the inconvenience.

Updated: Version 2.0.2 is now available. I needed to manually delete my "iOS7" profile from my device's settings but was then able to install a new profile via the app. Please visit our community forum (link above) for additional details.

Post by — Sean


Thursday, September 18, 2014

CosmicDuke and the Latest Political News Posted by Timo @ 21:13 GMT

After we had published the CosmicDuke report in July 2014, we continued to actively follow the malware. Today, we discovered two new samples that both leverage timely, political topics to deceive the recipient into opening the malicious document.

The first one discusses the Ukraine crisis and EU sanctions over Russia and the original document was published here less than a week ago.

The topic of the second document is definitely focusing on current affairs: Scotland votes on independence today. The original article was published early this week. Here is the decoy document:

It is obvious that the attackers are keeping abreast of the latest political news, and they are very agile: they have the capability and capacity to rapidly utilize the information to increase the odds of social engineering.

If you are interested in learning more about CosmicDuke, these latest samples, as well as other interesting discoveries, will be discussed in detail at T2, an information security conference during October 23-24 in Helsinki, Finland.


Paying For Content Posted by Mikko @ 08:37 GMT

I remember setting up our first website. That was 20 years ago, in 1994. When the Web was very young and there were only a handful of websites, it was easy to forecast that the Web was going to grow. And indeed, during these past 20 years, it has exploded in size. What’s even more important, the Web brought normal everyday people online. Before the Web, you would only find geeks and nerds online. Now everybody is online.

Back in 1994, we were guessing what would fuel the upcoming growth of the Web. For it to grow, there has to be online content—content like news or entertainment. And for news and entertainment to move online, somebody has to pay for it. How would users pay for online content? We had no idea. Maybe newspapers would start charging an annual online subscription fee, just like they did for their paper version? Or maybe the web would incorporate some kind of an online on-demand payment system; the user would have an easy way of doing in-browser micropayments in order to access content. This would enable the user pay, say, one cent to read today’s Dilbert cartoon.

As we know now, such a micropayment system never happened—even though it looked like such an obvious thing 20 years ago. Instead, a completely different way of paying for online content surfaced: ads. I remember seeing the first banner ad on a website, maybe in 1995 or 1996. I chuckled at the idea of a company paying money for showing their ad on someone else’s website. I should not have chuckled; that same idea now fuels almost all of the content online. And highly efficient ad profiling engines create practically all the profit for companies like Google and Facebook.

Google is a particularly good example of just how profitable user profiling can be. Its services — like Search, Youtube, Maps and Gmail — are free. You don’t pay a cent for using them. These services are massively expensive to run: Google’s electricity bill alone is more than $100 million a year. You would think that a company that runs very expensive services but doesn’t charge for them would be making losses — but it isn’t. In 2013, Google’s revenue was $60 billion. And their profit was $12 billion. So, if we make a modest estimate that Google has one billion users, every user made 12 dollars of profit for Google last year — without paying a cent.

Frankly, I’d be happy to pay Google $12 a year to use their services without tracking or profiling. Heck, I would be ready to pay $100 a year! But they don’t give me that option. We — the users — are more valuable in the long run by having our data and our actions profiled and saved.

Of course, Google is a business. And they are doing nothing illegal by profiling us—we volunteer our data to them. And their services are great. But sometimes I wish things would have turned out otherwise and we would have a simple micropayment system to pay for content and services. Now, with the rise of cryptocurrencies, that might eventually become a reality.

Mikko Hypponen

This was originally published as a foreword for: F-Secure Threat Report H1 2014


Tuesday, September 16, 2014

Why do Apple's security questions still suck? Posted by Sean @ 13:46 GMT

It's been two weeks, so why do Apple's security questions still suck?

Here's an example of questions you'll be asked when you create an Apple ID:

Apple Security Questions

And here's the full list…

Security Question 1:

  •  What is your favorite children's book?
  •  What is your dream job?
  •  What was your childhood nickname?
  •  What was the model of your first car?
  •  Who was your favorite singer or band in high school?
  •  Who was your favorite film star or character in school?

Security Question 2:

  •  What was the first name of your first boss?
  •  In what city did your parents meet?
  •  What was the name of your first pet?
  •  What is the first name of your best friend in high school?
  •  What was the first film you saw in the theater?
  •  What was the first thing you learned to cook?

Security Question 3:

  •  What is the last name of your favorite elementary school teacher?
  •  Where did you go the first time you flew on a plane?
  •  What is the name of the street where you grew up?
  •  What is the name of the first beach you visited?
  •  What was the first album that you purchased?
  •  What is the name of your favorite sports team?

The problem is painfully obvious — the questions are far too subjective or else are based on easily obtainable information.

What then does one do?

Whatever the question, create a nonsense answer. But then you'll have another problem… you'll forget the nonsense when needed.

So what next then?

Use your password manager's note field:

Childhood nickname? SvenHjerson

Hopefully you'll never need to use your answer — make sure nobody else can either.


For related advice, please see our article on dealing with passwords.


Friday, September 12, 2014

A Twitch of Fate: Gamers Shamelessly Wiped Clean Posted by FSLabs @ 11:29 GMT is a video gaming focused live streaming platform. It has more than 50 million viewers and was acquired by in August for nearly a billion dollars.

We recently received a report from a concerned user about malware that is being advertised via Twitch's chat feature. A Twitch-bot account bombards channels and invites viewers to participate in a weekly raffle for a chance to win things such as "Counter-Strike: Global Offensive" items:

items (165k image)

The link provided by the Twitch-bot leads to a Java program which asks for the participant's name, e-mail address and permission to publish winner's name, but in reality, it doesn't store those anywhere.

Those who have fallen victim to this fake giveaway will be shown this message after entering their details:

congrats (17k image)

After this message, the malware proceeds to dropping a Windows binary file and executing it to perform these commands:

  •  Take screenshots
  •  Add new friends in Steam
  •  Accept pending friend requests in Steam
  •  Initiate trading with new friends in Steam
  •  Buy items, if user has money
  •  Send a trade offer
  •  Accept pending trade transactions
  •  Sell items with a discount in the market

This malware, which we call Eskimo, is able to wipe your Steam wallet, armory, and inventory dry. It even dumps your items for a discount in the Steam Community Market.

Previous variants were selling items with a 12% discount, but a recent sample showed that they changed it to 35% discount. Perhaps to be able to sell the items faster.

code_sell_discount (67k image)

Being able to sell uninteresting items will allow the attacker to gather enough money to buy items that he deems interesting. The interesting items are then traded to an account possibly maintained by the attacker.

Victims have reported in that their items were being traded to this Steam account without receiving anything in return:

steamaccount (113k image)

All this is done from the victim's machine, since Steam has security checks in place for logging in or trading from a new machine. It might be helpful for the users if Steam were to add another security check for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold. This will lessen the damages done by this kind of threat.


Monday, September 8, 2014

H1 2014 Threat Report Posted by Sean @ 13:05 GMT

Our latest Threat Report is now available.

H1 2014 at a glance

The report includes our statistics, incidents calendar and threatscape summaries for H1(Q1+Q2) 2014.

Download: H1 2014 Threat Report [PDF]

Additional case studies: Whitepapers


Friday, September 5, 2014

Security. Privacy. Identity. Posted by Sean @ 12:07 GMT

Key components of digital freedom:

Things we defend.

This is F-Secure Labs.


Thursday, September 4, 2014

Wi-Fi Sense? Posted by Sean @ 13:26 GMT

Windows Phone 8.1 (Lumia Cyan) updates are currently rolling-out to various Lumia devices. One of the new features is Microsoft's "Wi-Fi Sense" which will automatically connect to Wi-Fi networks and accept terms.

Wi-Fi Sense

Your phone will automatically accept Wi-Fi network terms?


Wi-Fi Sense

"Not all Wi-Fi networks are secure."

(At least you're able to edit the infomation provided on your behalf.)

Wi-Fi Sense

Also, Wi-Fi Sense will share Wi-Fi network access with your contacts and "friends".

Wi-Fi Sense

So… if your phone knows the password to your company's Wi-Fi network, now your Facebook friends can access it too?

Information security managers are going to love that.