NEWS FROM THE LAB - October 2011


Monday, October 31, 2011

Backdoor:OSX/Tsunami.A Posted by Sean @ 16:47 GMT

Our description for Backdoor:OSX/Tsunami.A is now online. Tsunami is a Mac OS X backdoor with bot functionality.


The bot is capable of participating in DDoS attacks, and in fact, one variant attempts to connect to an IRC server with "anonops" in its name — as in (Internet collective) Anonymous Ops.

Because there is no obvious infection vector for Tsunami, some analysts have speculated that OSX/Tsunami is a work in progress. Others have noted that remote hacking of a server is one possible vector. Given that OSX/Tsunami is based on a Linux bot that has long used PHP vulnerabilities to install, this is a definite possibility.

We've even read some posts that have suggested that people may be installing this backdoor themselves in order to volunteer their computer to DDoS activities carried out by Anonymous.

Volunteering one's own computer??? That sounds absurd to us.

Especially when we consider all of the other Macs that are potentially available to be "volunteered" by members of Anonymous.



Thursday, October 27, 2011

Trojan:SymbOS/OpFake.A Posted by ThreatResearch @ 17:35 GMT

Here's the technical analysis related to yesterday's post on Trojan:SymbOS/OpFake.A.

OpFake.A arrives as a supposed Opera Mini updater using file names such as OperaUpdater.sisx and Update6.1.sisx. The malware installer adds an Opera icon to the application menu. When run, it will show a menu and a fake download progress bar.

Opera Updater 56%
Progress bar displayed… even though this installer was run inside of a Faraday room.

The malware also has a "license" which can be displayed. When the trojan is started, and before the victim advances through any of the menus, the trojan is already sending text messages to Russian premium rate numbers. The numbers and the content of the messages come from an encrypted configuration file (sms.xml).

The Symbian version of OpFake.A will also monitor SMS messages for the short while it is active and deletes incoming messages and messages moved to the sent messages folder based on the phone numbers and content of the messages. The code that handles the interception of incoming SMS messages is largely identical to that in Trojan:SymbOS/Spitmo.A. That part of OpFAke.A clearly shares source code with Spitmo.A.

OpFake.A tracks whether it has been run before and won't do anything except for the first time it is executed.

OpFake trojans have been self-signed using a certificate created by the attackers themselves. The owner of the certificate is JoeBloggs and the company is acme. Because these names were used as an example on a website for creating certificates, there are also non-malicious files signed with certificates that have the same owner name and company.

There are numerous variants of the installer in different paths on OpFake's host server using different file names (OperaUpdater.sisx, Update6.1.sisx, jimm.sisx). One example path is [IP Address]/builder/build/gen48BF.tmp/OperaUpdater.sisx. The varying part of the path are the 4 characters between gen and .tmp.

There is also a Windows Mobile version of the malware on the same server under a different path, for example: [IP Address]/wm/build/gen7E38.tmp/setup.CAB. Again there are numerous version under different random paths. Currently there are over 5000 folders with random names under wm/build.

Below are two examples of decrypted configuration files, the first one is for a Symbian variant and the second one for a Windows Mobile variant. The entries with "number" and "text" signify the phone number where a message is sent to and the content of the message.

OpFake configguration files

SHA-1: 2518a8bb0419bd28499b41fad2089dd7555e50c8


Wednesday, October 26, 2011

OpFake: Premium Rate SMS Trojan That Shares Code w/ Spitmo Posted by Sean @ 17:10 GMT

One of the more interesting cases we've analyzed this year is Spitmo, short for SpyEye in the mobile.

When some versions of SpyEye, an infamous banking trojan, encounter mTANs, a mobile-based defense against computer-based man-in-the-browser attacks, a counteroffensive is offered: Spitmo, a mobile trojan that circumvents the authentication process.

It's a rather interesting crossover attack which uses clever techniques and code.

So naturally, when a couple of our analysts recently fired up some new Symbian automation they've developed, one of the first things they did was to feed it Spitmo. And the results were quite surprising!

Our new system discovered 54 samples that share code with Spitmo — but that aren't Spitmo. These "cousins" of Spitmo are premium rate SMS trojans that target Russian mobile phone users (using Russian SMS short codes). We've named these trojans OpFake because the installer claims to be Opera Mini (OperaUpdater.sisx).

But that's just a part of our story.

Our analysis of the OpFake Symbian binaries uncovered an IP address, and a search for that IP address found a server online from which Windows Mobile versions of OpFake can also be accessed via a publicly available folder containing over 5,000 sub-folders. Each sub-folder contains a unique and encrypted configuration file. We suspect these folders are visible due to a configuration error as the Symbian folders are inaccessible.

OpFake: use of Spitmo components, Symbian, Windows Mobile, (perhaps other OS?), premium rate SMS messages… somebody is running quite a developed operation from their server in Saint Petersburg.

The server's IP address has been reported to CERT-FI.

Technical analysis of the OpFake binaries and details of the server's folder structure will be posted tomorrow.


Tuesday, October 25, 2011

DroidKungFu Utilizes an Update Attack Posted by ThreatSolutions @ 06:28 GMT

We did a quick post yesterday about a DroidKungfu sample that appeared to use a novel infection vector.

Now, as promised, more technical details.

DroidKungFu, Chinese market

The application we've been analyzing is called, and a quick check into its content reveals a couple of findings.

The original application (SHA-1: 5e2fb0bef9048f56e461c746b6a644762f0b0b54) shows no trace of DroidKungFu at first glimpse.

DroidKungFu, Original install
Content and installation permission

Once installed, the application would inform the user that an update is available; when the user installs this update, the updated application would then contain extra functionalities, similar to that found in DroidKungFu malware.

The series of screenshots below shows what happen during the update process:



Compared to the original version, the updated application requested for two additional permissions that would allow it to access SMS and MMS messages, and the device's location.

While a difference in permissions may not be the best way to identify whether an update is malicious, it is still a good practice to be aware and suspicious if an application update is requesting for different permissions.

More importantly, the updated application uses an exploit to gain root privilege, which would enable it to perform more potentially unwanted actions.

In the last screenshot, the application was shown to have stopped unexpectedly. It is probably due to an error as this variant of DroidKungFu is still using the exploit for Android OS version 2.2, and the tested phone is using Android OS version 2.3.

Below is the packet capture during the update process showing the source of the updated application:


A quick view into the contents of the updated application with SHA-1: 7cd1122966da7bc4adfabb28be6bfae24072c1c6.


The init.db file is actually a standalone copy of DroidKungFu; it is not actually a database file but an encrypted APK file that will be installed by the application when it gains root privilege.

To verify that this application is indeed DroidKungFu, let's take a look at the code:


The "WP" is the key for its decryption that is an ASCII representation, which when converted become "Deta_C1*T#RuOPrs".

Further verification reveals that this application is indeed a variant of DroidKungFu, and we have detected it since August 18, 2011 as Trojan:Android/DroidKungFu.C.

A quick check of detection coverage for the samples (both pre- and after update) with VirusTotal, showed the following results. The original application that updates self to DroidKungFu:


And, for the updated application:


Threat Solutions post by — Zimry, Irene and Yeh


Oct 25th Post Updates: This post was edited to correct details related to the screenshots; the first few paragraphs were reworked to clarify that this topic is related to yesterday's post, and to replace links to VirusTotal scan reports with screenshots.


Monday, October 24, 2011

These Aren't the Droid Updates You're Looking For Posted by Sean @ 19:16 GMT

Our Threat Solutions team discovered an interesting threat using a novel "infection vector" for Android today.

Back in July, they analyzed Spyware:Android/SndApps, which, after an update, is able access various bits of personal information. Before the update, it only requests the "Internet" permission. It seems probable to us that users are less likely to carefully review permissions for an update of an application that is already installed on their smartphone.

So with this permission escalation via an update method in mind, the team has been monitoring for malicious applications attempting the same trick. And today… they found one.

Analysis is currently underway.

What we can currently tell you is that the original application (downloaded from a third-party market) is free of malicious code. Once installed, the application immediately informs the users that an update is available — and that "update" — installs a variant of Trojan:Android/DroidKungFu.

There's still some question as to whether the original application developer actually intends for their application to be a used as a DroidKungFu downloader. Possibly, the developer's back end has been compromised.

We detect the applications as Trojan-Downloader:Android/DroidKungFu.E and Trojan:Android/DroidKungFu.C.

SHA-1: 5e2fb0bef9048f56e461c746b6a644762f0b0b54

We'll have additional technical details and screenshots on this "update attack" in a subsequent post.


Friday, October 21, 2011

Galaxies Collide Posted by Mikko @ 12:09 GMT

Duqu contains a backdoor that steals information. Infostealers need to send the stolen info back somehow. Careful infostealers try to make the transfer look innocent in case somebody is watching network traffic. Duqu hides its traffic by making it look like normal web traffic.

Duqu connects to a server ( a.k.a. – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.

Even if somebody is watching outbound traffic, this wouldn't look too weird.

Duqu components contain different JPG files. One of them is this:

galaxies collide

It's a NASA picture of two galaxies colliding.

Why this picture?

Beats us.

Do any of our readers have any ideas?

Post your theories to the comments of this blog entry. Here's one theory to get you started.


Wednesday, October 19, 2011

Mac Trojan Disables XProtect Updates Posted by ThreatSolutions @ 07:46 GMT

There's something new brewing in Mac malware development (again).

Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application.

First, Flashback.C decrypts the paths of XProtectUpdater files that are hardcoded in its body:

xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the plist file of XProtectUpdater

xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the XProtectUpdater binary

The malware then unloads the XProtectUpdater daemon:

unload1, Trojan-Downloader:OSX/Flashback.C

unload2, Trojan-Downloader:OSX/Flashback.C

Finally, the malware overwrites the XProtectUpdater files with a " " character:

wipe_xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the plist file of XProtectUpdater

wipe_xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the XProtectUpdater binary

The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates.

Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform.

MD5 hash of Flashback.C sample (actual .pkg): 041ec03a36598a9823fb342cd9840acc
MD5 hash of Flashback.C sample (postinstall): e24979f7bd55a458a33247c5201a6a7d

Threat Solutions post by — Brod


Tuesday, October 18, 2011

Duqu – Stuxnet 2 Posted by Mikko @ 19:33 GMT

Big news today.

A new backdoor created by someone who had access to the source code of Stuxnet has been found.

Stuxnet source code is not out in-the-wild (only the binaries). Only the original authors have the source code. So, this new backdoor was created by the same party that created Stuxnet. For a refresher on Stuxnet — arguably the most important malware in history — see our Q&A.

Unlike Stuxnet, the new backdoor, known as Duqu, does not target automation or PLC gear. Instead, it's used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack based on the information gathered by Duqu.

The code similarities between Duqu and Stuxnet are obvious. Duqu's kernel driver (JMINET7.SYS) is actually so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet:

Duqu / Stuxnet 2

Stuxnet drivers were signed with stolen certificate belonging to Taiwanese companies called RealTek and JMicron.

Duqu has a driver signed with a stolen certificate belonging to a Taiwanese company called C-Media Electronics Incorporation.


In addition of this signed driver, several other related unsigned driver files have been found, some of them claiming to be from JMicron or IBM:

jminet7.sys nfrd965.sys

The best research into Duqu so far has been done by Symantec. They've been at it for a while, and have today published a 46-page whitepaper on it.

Was Duqu written by US Government? Or by Israel? We don't know.

Was the target Iran? We don't know.

F-Secure antivirus detects Duqu generically with one of our Gen:Trojan.Heur detections.

P.S. By a coincidence, a website called ISS Source has today published a confused article talking about a new "Stuxnet-like worm" created by Google, Microsoft, and Oracle. We don't believe this article is accurate.

Updated the add: Our description with analysis of Duqu is now online.

SHA-1 hashes for the files referenced above:

jminet7.sys – d17c6a9ed7299a8a55cd962bdb8a5a974d0cb660
netp191.PNF – 3ef572cd2b3886e92d1883e53d7c8f7c1c89a4b4
netp192.PNF – c4e51498693cebf6d0cf22105f30bc104370b583
cmi4432.PNF – 192f3f7c40fa3aaa4978ebd312d96447e881a473
cmi4432.sys – 588476196941262b93257fd89dd650ae97736d4d
cmi4464.PNF – f8f116901ede1ef59c05517381a3e55496b66485
trojan-spy – 723c71bd7a6c1a02fa6df337c926410d0219103a

Edited to add: Corrections made and screenshots added.


"Privacy is a way of managing information flow." Posted by Sean @ 13:02 GMT

Why are people so willing to give away their personal information to complete strangers?

It's because humans want to share information. And in fact, they share information a lot more freely than other "things" such as goods and services.

Which of these are you most likely to provide without thinking much about it?

  •  To give a stranger directions to the bus stop (information).
  •  To take a stranger to the bus stop (service).
  •  To give a stranger bus fare (goods).

If you're like most people, you'll freely give directions, but you'll resist giving away your money.

And that's how civil human society works, we share, and we especially share information, because it costs us little and it helps society function to more efficiently.

This idea was expressed by Clay Shirky at Austin's South by Southwest (SXSW) in 2010. Shirky has given multiple TED Talks and is widely respected for his thoughts on technology's effects on society. If you're interested in the subject of privacy, you should really watch Shirky's 2008 Web 2.0 Expo NY presentation: It's Not Information Overload. It's Filter Failure.

During the presentation, Shirky makes the following observation: privacy is a way of managing information flow. According to Shirky, the big question we're facing about privacy revolves around the fact that we aren't moving from one engineered system to another with different characteristics… but that we're moving from an evolved system to an engineered system.

"Managing our privacy" isn't a natural act.

What maintained our privacy in the past was that it was generally inconvenient to spy on people. Platforms such as Facebook present a new and unique problem and new solutions (filters) are needed, rather than to retool old existing filters.

YouTube: It's Not Information Overload. It's Filter Failure.


Friday, October 14, 2011

Mikko @ TEDxRotterdam Posted by Sean @ 14:08 GMT

Mikko presented at TEDxRotterdam this week.

A video is available here:

Additional videos and interviews are available on our YouTube channel.


Thursday, October 13, 2011

Is Anonymous still a "hacktivist" collective? Posted by Sean @ 17:40 GMT

Members of the Internet collective known as "Anonymous" are often described as hacktivists. But are they really?

Or are they really just activists (is that what they've become)?

We follow various Anonymous news accounts on Twitter and ever since the sub-collective, LulzSec, petered out, Anonymous has shifted away from talking about online attacks and hacks to real-world protests, e.g., Wall Street.

Back on August 15th, we mentioned Anonymous Ops Britain and BART. Operation BART was a rather successful event and is one of the precursors to Occupy Wall Street. Op Britain was scheduled for Saturday, October 15th. That's this Saturday.

We didn't really expect too much would develop from it.

But with the success of the Wall Street protests, Op Britain has expanded into Occupy The Planet.

Anonymous: Occupy The Planet

Hundreds of meetups around the world are planned — there's even one here in Helsinki, Finland.

Occupy Helsinki

By this time next year, instead of hacktivists, we may all well consider Anonymous to be a collective of "social media savvy" activists.


Wednesday, October 12, 2011

Mac Trojan Flashback.B Checks for VM Posted by ThreatSolutions @ 12:55 GMT

One of our analysts has discovered something interesting while debugging the latest version of Flashback, a Mac trojan that attempts to trick people into believing it's an Adobe Flash Player update.

While comparing the differences between Flashback.A and Flashback.B, he saw this routine:

vmcheck, Trojan-Downloader:OSX/Flashback.B

Flashback.B performs a "vmcheck". If virtualization is detected, the trojan aborts itself.

Apple started allowing users to run two additional instances of virtualized OS X with the release of Lion.

VMware-aware malware (say that ten times fast!) is a common anti-research technique used within the Windows ecosystem, but not yet so in Mac's. It appears that Mac malware authors are anticipating that researchers will begin to use virtualized environments during analysis, and are taking steps to hamper such efforts.

Threat Solutions post by — Brod


Tuesday, October 11, 2011

More Info on German State Backdoor: Case R2D2 Posted by Sean @ 12:56 GMT

Last weekend, the German based Chaos Computer Club (CCC) published details on a backdoor trojan they claimed was being used by German authorities, in violation of German law.

And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.

In one case, the trojan was installed on a suspect's laptop while he was passing through customs & immigration at the Munich International airport.

Here's some additional details about the backdoor itself.

The CCC's report included analysis of the backdoor's DLL and a kernel driver. The CCC apparently did not have access to the installer. (Which would have been locally installed on the suspect's computer.)

We do have the installer.

Here's a screenshot from our malware containment system:


The installer file is called "scuinst.exe". It was first seen on December 9th, 2010.

What's the importance of the filename scuinst.exe? It's an abbreviation for Skype Capture Unit Installer. Skype Capture Unit is the name of the commercial trojan developed by a company called DigiTask from the city of Haiger, Germany. For more information on the background of DigiTask and Skype Capture Unit, see these documents leaked by WikiLeaks. And here's a document showing The German Customs Investigation Bureau purchasing surveillance services from DigiTask worth 2075256 euro. That's two million euro.


Our system automation didn't like scuinst.exe and automatically set it to be blocked on customers' computers. The "heuristic" category indicates that our automation flagged the file based on rules that our analysts have created.

Have any F-Secure customers been exposed to R2D2?

No. Our statistics show no customer encounters with this backdoor (in-the-wild, before CCC's announcement).

How did F-Secure get a copy of the installer then?

We (and numerous other antivirus vendors) received the file from

In fact, the installer had been submitted to VirusTotal multiple times:


So lots of antivirus vendors have the installer?

Yes. VirusTotal is a service that analyzes suspicious files with multiple antivirus engines and provides a list of detection names. VirusTotal is a cooperative effort and it shares samples with everyone that participates.

If there's no detection, does that mean there's no protection?

No. Many antivirus products (such as F-Secure Internet Security) have additional layers of protection beyond traditional signature detections. Just because a threat doesn't have a signature "detection" doesn't mean that it won't be "blocked" by another layer of defense.

In this case, R2D2's installer would have been blocked by our "cloud" layer even before traditional signature database detections had been published.

So if VirusTotal shares with everybody, wouldn't somebody trying to keep a backdoor secret be stupid to upload it there?

Yes. That's why professional malware authors use black market multi-scanners.

Then why would R2D2's authors give it away?

Perhaps that was the only way they knew of to "test" their backdoor's installer.

Or perhaps they didn't care that they'd be decreasing the lifespan and effectiveness of their backdoor.

Or perhaps it just demonstrates the German government's (and the company hired to write backdoor) lack of understanding as to what the antivirus industry does, and how we frequently work together to protect our customers.

We're all in this together.


Saturday, October 8, 2011

Possible Governmental Backdoor Found ("Case R2D2") Posted by Mikko @ 20:42 GMT

Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Government.

R2D2 backdoor trojan

The announcement was made public on with a detailed 20-page analysis of the functionality of the malware.
Download the report in PDF (in German).

The malware in question is a Windows backdoor consisting of a DLL and a kernel driver.

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include and

We do not know who created this backdoor and what it was used for.

We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

Our generic policy on detecting governmental backdoors or "lawful interception" police trojans can be read here.

We have never before analyzed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors.

Having said that, we detect this backdoor as Backdoor:W32/R2D2.A

The name R2D2 comes from a string inside the trojan: "C3PO-r2d2-POE". This string is used internally by the trojan to initiate data transmission.

R2D2 backdoor trojan

We are expecting this to become a major news story. It's likely there will be an official response from the German government.

MD5 hashes: 930712416770A8D5E6951F3E38548691 and D6791F5AA6239D143A22B2A15F627E72


Thursday, October 6, 2011

Goodbye, Steve Jobs Posted by Jarno @ 09:16 GMT

Steve Jobs has died.

Google has altered its home page in tribute:

Google's Steve Jobs tribute

The words "Steve Jobs" link to


And Apple's image of Jobs links to this message:

Apple remembers Steve Jobs

It's a rather moving tribute.

It's also a good security move on the part of Google.

As soon as we heard the news, we started looking out for malware, scams and other attempts for less than scrupulous people to milk Jobs one last time. It happens every time there's breaking news. The Japanese earthquake and tsunami last March is one notable example. When news happens, search engine optimization scams will happen.

Currently, a search for "Steve Jobs funeral" delivers a scam in the first page of results.

Google Search results

This particular site,, attempts to collect e-mail addresses for a supposed lottery with a 1-in-15 chance to win a Macbook. And it links to an online store selling Apple products as way to pay tribute to Jobs, by buying Apple products.

Conveniently for the site, this link also contains affiliate advertising info that brings revenue for any purchases made though the link.

It is probably needless to say that people should avoid, which was already registered on September 20th. The vultures have been circling around for quite a while. scumbag website

Remember, when searching for news, use your common sense, and also

Google Search does a very decent job of filtering away malicious sites, but lately, it appears to be dropping the ball on spam and (advertising related) scams. Use Google News instead if it's available in your country.


Rest In Peace, Steve Jobs.


Monday, October 3, 2011

Sam and Daniel Posted by Mikko @ 13:03 GMT

The latest issue of WIRED has a great article about two guys we know well: Björn Sundin and Shaileskumar Jain.

We've blogged about Shaileskumar (aka Sam) and Björn (aka Daniel) before. See here.

Here's Sam, pictured around 2001:

Sam Shaileskumar Jain

These were the guys behind WinAntivirus and many clones of it. They are still on the run with their millions.

WinAntivirus Pro (Rogue)

Read the full article here.


Warning On E-mails About "iPhone 5GS" Posted by Mikko @ 11:41 GMT

Apple is expected to announce their next smartphone tomorrow.

Scammers know this and they know people are excited about the upcoming announcement. So they are spamming out malicious e-mails with messages such as this:

Fake iPhone 5GS

That's probably not what the next iPhone will look alike. However, if you get curious and click on the links, you get redirected to download a Windows binary called iphone5.gif.exe hosted under a hacked server

This is what the downloaded file looks like:

Fake iPhone 5GS

When executed, the malware shows this image on screen:

Fake iPhone 5GS

Behind the scenes, it's a simple IRC bot based on mIRC. It connects to an IRC server at (

Infected machines can be centrally controlled via this server and are exposed to things such as credit card theft. In fact, the malware contains this text inside it: "I wanna be a billionaire so frickin bad!"

F-Secure Anti-Virus detects this as IRC-Worm.Generic.2106. The MD5 hash is 2B60D3E71289D5F98C8E633A9D0C617D.