NEWS FROM THE LAB - October 2013


Thursday, October 31, 2013

Are you ready for life in a smart_city? Posted by Sean @ 16:29 GMT

All sorts of "smart city" data is available online these days.

For example: here's a real time view of Helsinki's public transportation via HSL Live.

HSL Live

And that's just the start. Why stop there?

WeareData is a marketing campaign for Ubisoft's upcoming game, WATCH_DOGS.

We Are Data

WeareData's visualization is pretty neat, displaying three different cities: Berlin, London, and Paris.

We Are Data, Berlin

Hotspots, ATM, CCTV, and Tweets. All laid out for you on one map.

We Are Data, Types

Welcome to the future. Do you want to live there?


Tuesday, October 29, 2013

Rent-A-Hacker Posted by Sean @ 12:32 GMT

An example of what can be found on the Deep Web:

Click image to embiggen.

This guy claims to be "a proffessional computer expert who could earn 50-100 euro an hour with a legal job."

So the question is… why doesn't he?


Monday, October 28, 2013

TEDxBrussels Posted by Sean @ 11:53 GMT

Mikko has been presenting on the topic of state surveillance of late.

He'll soon be on stage at TEDxBrussels:


Live stream:


Updated to add:

If you've missed the live stream — don't worry — it will most likely end up on the TEDxBrussels YouTube channel.

In the meantime — published last week via Google Ideas:

Stuxnet: Pandora's Box?

Updated to add

Mikko's Brussel's talk is now live at TEDxTalks.


Thursday, October 24, 2013

Who Controls Free Expression in Cyberspace? Posted by Sean @ 12:53 GMT

Monday's BBC News: Facebook lets beheading clips return to social network.

On Tuesday, Facebook published a "Fact Check".

Wednesday's BBC News: Facebook makes U-turn over decapitation video clip.

U.K. Prime Minister David Cameron's reaction: I'm pleased Facebook has changed its approach on beheading videos. The test is now to ensure their policy is robust in protecting children. Despite Cameron's plea to think of the children — there's not very much he can personally do to "ensure" anything related to Facebook's content policy. Because he's impotent in the face of "the Deciders".

Deciders such as Dave Willner, not yet even 30 years old, who began his career at Facebook on the night shift answering questions about its photo uploader. Five years later, he's the head of Facebook's Content Policy.

A guy who studied anthropology and archeology. That guy, and others like him in Silicon Valley are the ones deciding on freedom of expression's future on "the web". Or then, maybe not the web as so many consumers now spend a significant amount of their time in one walled garden or another. But "cyberspace" at least.

Free Speech on the Internet: Silicon Valley is Making the Rules.

Those who care about future online expression should read Jeffery Rosen's:

  •  The Delete Squad Google, Twitter, Facebook and the new global battle over the future of free speech

Post by — @Sean


Wednesday, October 23, 2013

Neutrino: Caught in the Act Posted by SecResponse @ 16:23 GMT

Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code:


The deobfuscated code shows the location from where the injected iframe URL will be gathered from, as well as the use of cookie to allow the redirection. It also shows that it only targets to infect those browsing from IE, Opera and Firefox.

And now for some good old snippet from the source site and infected site:


When an infected website successfully redirects, the user will end up with a Neutrino exploit kit that is serving some Java exploit:


We haven't fully analyzed the trojan payload yet, but initial checks showed that it makes HTTP posts to this IP:


Early this week, when it probably was not in full effect yet, the injected URLs were leading to However, it went in full operation starting yesterday evening when it began redirecting to Neutrino to serve Java exploits.


Based on that timeline, we plotted the location of all the IP addresses that visited the infected sites to a map. These IPs are potential victims of this threat. There were approximately 80,000 IPs.


We also plotted the location of the infected websites and so far, there were around 20,000+ domains affected by this threat. The infected sites appear to be using either WordPress or Joomla CMS.


You can also find other information about this threat in Kafeine's blog post.

Samples related to this post are detected as Trojan:HTML/SORedir.A, Exploit:Java/Majava.A, and Trojan:W32/Agent.DUOH.

Post by — Karmina and @Daavid


What is the cost of ransomware? Posted by Sean @ 10:52 GMT

Here's a question we're often asked: what's the economic cost of malware?

We recently assisted in a joint investigation with the Finnish Police and CERT-FI. And in this particular case — we estimate that just one gang of "police" (themed) ransomware could be responsible for more than 800 million dollars worth of damage and losses.

Details from the Finnish press release:

Press release

We'll translate the basics: a single gang using Reveton "police" ransomware netted more than 5 million victims worldwide, with more than 30,000 computers in Finland affected.

Reveton's current "fee" is 300 USD:

USA Reveton

The going rate in Europe is EUR 100:

French Reveton

At 100 euro each, the 30,000 Finnish victims alone represent three million euro of potential profit. Between North America and Europe — it's altogether something in the neighborhood of 600 million euro or more than 800 million dollars.

Now of course, not everybody pays Reveton's random (though quite many do). So that potential profit isn't actually realized. But what about economic costs? The victims need to spend time and money to repair and recover their computers.

Some folks will have lost data in the process. And how much is that worth?

Last year, a friend's hard drive, full of family photos, crashed. The cost of repair? More than 6,000 USD! If just one percent of the Reveton gang's more than 5 million victims lost similar collections of photographs — that's equal to 300 million USD in lost data.

Disregarding data loss, the time spent on recovery is easily worth the same as the ransom payment.

Bottom line: ransomware is very costly.

Which is why we're highlighting the issue at as part of cyber security awareness month.

Are you ransomware aware? From now until the end of October, you can ask our own Antti Tikkanen and Paolo Palumbo questions about Reveton and other ransomware threats in our Community's Ransomware Q&A.

Here's a handy link you can share:


Monday, October 21, 2013

Touch ID: Biometrics Don't Make For Good Passwords Posted by Sean @ 13:12 GMT

There's an Apple event scheduled for tomorrow which will showcase this year's iPad lineup. Among the more credible rumors is that at least one version of the iPad will include Apple's Touch ID, its fingerprint identity sensor.

iPad Mini 2

And so it seems somewhat inevitable that all of our "smart" devices will soon include fingerprint readers.

That being the case, we strongly recommend the following by @dustinkirkland:

  •  Fingerprints are Usernames, not Passwords

We welcome intelligent use of biometrics — but not biometric passwords.

Updated to add: Well, no Touch ID this time. Fine with us.


Friday, October 18, 2013

Who Wants to Spy More, Android or iPhone Users? Posted by Sean @ 14:53 GMT

We came across some "installation guides" for a spyware app called "StealthGenie" today.

It's kind of interesting to note the viewing stats. Even though Android has a bigger marketshare, the Android Installation Guide video doesn't have so many more views relative to the iPhone's.

Android: 8,196 — iPhone: 7,641

StealthGenie Installation Guides

BlackBerry: 1,334

Poor BlackBerry… no longer 1337.


Friday, October 11, 2013

Blackhole, Supreme No More Posted by Karmina @ 20:52 GMT

Blackhole exploit kit has always been a favorite example when discussing the impact of kits to Internet users. We've previously mentioned in our posts how fast it was in supporting new vulnerabilities, how it was related to Cool, and that it was the leading kit in our telemetry data. Blackhole and Cool almost always had special mentions in our Threat Reports. So you can just imagine how closely we follow this topic.

Early this week, Maarten Boone Tweeted groundbreaking news regarding Paunch's fate, the mastermind behind Blackhole and Cool. Though no further details were provided, it has been confirmed that Paunch was recently arrested in Russia.

With this news, we decided to look at our telemetry data once again. The graphs below show Blackhole and Cool turning from being at the top of the ranks to being negligible.

ek_hits_2013 (91k image)

bh_cool_2013 (89k image)

bh_cool_oct (26k image)

It's as dramatic as a graph can get. From dominating the exploit kit charts, Paunch's brainchild, Blackhole, is slowly fading away with its master's arrest.

So what does the future look like? Will the numbers even out among the different exploit kits out there? Will one exploit kit arise to take over Blackhole's place? Will a new exploit kit come out and take over the market? We can only speculate. But one thing that we do hope though, is that other exploit kit authors will take the hint, that even if they may enjoy a few years of invincibility, they are not unreachable by the long arm of the law.

Tuesday, October 8, 2013

DeepGuard 5 vs. IE Zero-Day Exploit CVE-2013-3893 Posted by SecResponse @ 12:19 GMT

SPOILER ALERT: DeepGuard wins.

It's Patch Tuesday, and Microsoft will be releasing its monthly security updates later today.

Installing the updates as soon as possible is highly recommended because one of the patched vulnerabilities in Internet Explorer, CVE-2013-3893, is already being exploited in the wild. A Metasploit module for exploiting CVE-2013-3893 has also been released. But today is key, as the bad guys will almost certainly now reverse engineer the patches in order to develop exploits for the other vulnerabilities as well.

Building protection against exploits by creating vulnerability-specific defenses one at a time is not really sustainable. More proactive protection can be achieved by putting focus on the exploitation techniques. With this in mind, the key feature we introduced in version 5 of our behavioral technology — DeepGuard — is behavior-based exploit interception. By monitoring the behavior of commonly exploited software, e.g., web browsers, we can protect users against threats we have not yet seen — including zero-day exploits.

Here's a brief video of DeepGuard protecting the system from compromise via an exploit based on the CVE-2013-3893 vulnerability. The IE version in the video is vulnerable, i.e., the system does not have today's updates installed. The exploit in the video has been used in real attacks and is very similar to ones mentioned by FireEye and Dell, right down to the runrun.exe payload encrypted with 0x95 XOR key. The attack is replayed from a webserver on an isolated test network.

The exploit sets and checks a cookie to avoid exploiting the same system twice. Once DeepGuard has blocked the exploit and forced the tab to close, IE will try to reopen the tab. Because the cookie was set, the JavaScript code skips the exploit and simply redirects the user to

YouTube: DeepGuard 5 vs. IE Zero-Day Exploit CVE-2013-3893

In other words… our technology offers superior protection to customers — on day zero.

You can read more about our DeepGuard technology in this white paper. Read and enjoy while installing today's updates.

Post by — Timo


Monday, October 7, 2013

Visit From a "Ghost" Posted by Sean @ 17:58 GMT

Aww man. I had a meeting today with Timo Laaksonen (younited) and missed a chance to meet Kevin Mitnick.

But… he left me this very nice autograph in my copy of Ghost in the Wires.

Ghost in the Wires

Cool "bookmark"!

Post by — @Sean


Friday, October 4, 2013

Cryptocurrency Mining Posted by Sean @ 12:41 GMT

Bitcoin, everybody's favorite cryptocurrency, made news this week with the arrest of Silk Road proprietor, the Dread Pirate Roberts.

It seems cryptocurrencies are becoming (almost) mainstream. And with that… comes cryptocurrency malware schemes.

Silent Miner

A topic which is covered in great detail in our recently published H1 2013 Threat Report:

Crypto Currency Mining


Hearing on FISA Oversight of NSA Posted by Sean @ 10:24 GMT

The United States government may have "shutdown" on October 1st… but that didn't stop the U.S. Senate Judiciary Committee from holding a hearing on FISA Oversight of the NSA on October 2nd.

There's been plenty of press coverage.

But for such important matters — it's worth watching the source material (if you can stomach "sausage making"):

Senate Judiciary Cmte Hearing on FISA Oversight

The entire three hour and thirty-eight hearing is available via C-SPAN: Intel Chiefs Testify at Senate FISA Oversight Hearing

Updated to add: The second panel (legal history and technology concerns) starts approximately 2.5 hours into the hearing.


Adobe Hacked Posted by Sean @ 08:53 GMT

Do you have an account?

If yes… you'll want to sign in and reset your password. Why? Because Adobe has been hacked.

From Adobe:

"Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders."

Encrypted passwords and credit/debit card numbers, et cetera. So therefore you may also wish to monitor any cards which were on file at Resetting your password is a straightforward process.

Sign in:

Sign in

Required Password Reset:

Required Password Reset

"Click this link to reset your password."

Click this link to reset your password

Fortunately, my account was for testing and I used a unique password made up of random letters and numbers.

Unfortunately, I still have an account, even though I looked into deleting it a few weeks ago.

Also of significant interest is the fact that some source code was compromised.

Read Krebs on Security for more details.

Post by — @Sean


Wednesday, October 2, 2013

IE Vulnerability Update #Japan #Metasploit Posted by Sean @ 12:28 GMT

Microsoft's Security Advisory (2887505), regarding a vulnerability in Internet Explorer, was issued just over two weeks ago. We added exploit detection soon thereafter. At the time, Microsoft reported that exploitation of the vulnerability was in limited use.

Microsoft Security Advisory for CVE-2013-3893

Since then, evidence of attacks on Japanese targets via media sites has surfaced.

And in the last week, our customer upstream data indicates limited use within Taiwan.

Most importantly, there is now Metasploit support for CVE-2013-3893. So it's only a matter of time before it's added to popular exploit kits such as Blackhole. If not this week, then almost certainly a day or two after Microsoft releases its patch next Tuesday.

We recommend avoiding IE (if possible) until it's updated. If you manage a network, Microsoft has a Fix it tool available.

Updated to add: 8 Microsoft patches coming, including Internet Explorer zero-day


ZeroAccess: The Most Profitable Botnet Posted by Sean @ 11:17 GMT

In March of this year, researchers on Symantec's Security Response team began looking at ways in which they might be able to "sinkhole" (takedown) ZeroAcess — one of the world's largest botnets. But then… in late June, the botnet started updating itself, removing the flaw that the researchers hoped to take advantage of. Faced with the choice of some or nothing, the team moved to sinkhole what they could. And that was over 500,000 bots.

A very commendable effort!

Ross Gibb and Vikram Thakur are presenting a paper about lessons learned at this year's Virus Bulletin.

Unfortunately, the bulk of ZeroAcess is still with us…

To learn more about it — download this report — extracted from our H2 2012 Threat Report.