NEWS FROM THE LAB - November 2012


Thursday, November 29, 2012

Recommended Reading on WCIT and Weev Posted by Sean @ 12:37 GMT

Following up on our Nov. 21st post about Andrew "Weev" Auernheimer, we recommend this from Gawker's Adrian Chen:

  •  The Internet’s Best Terrible Person Goes to Jail: Can a Reviled Master Troll Become a Geek Hero?

Auernheimer's sentencing is scheduled for Feb. 25, 2013. (View our poll results.)

And following up on our Nov. 23rd post about Google's WW3.0 efforts, we highly recommend this from Wired UK by Olivia Solon:

  •  A simple guide to the ITU's World Conference on International Telecommunications

Of everything we've read on the topic in the last few weeks (and that's a lot), Solon's piece best sums up all of the important details in a concise and impartial manner. Check it out.


Wednesday, November 28, 2012

"Mostly Men, Quite a Few Ponytails" Posted by Sean @ 14:22 GMT

BBC Radio 4 has a report by Simon Cox called — The Hackers — that's worth a listen.

BBC Radio 4, The Hackers

And if you listen carefully… you'll hear Mikko being interviewed.


Tuesday, November 27, 2012

Espionage Weapon = Baloney Posted by Sean @ 13:32 GMT

Fun fact: a search for — "espionage weapon" -flame -flamer — returns a lot of nonsense.

Searches that include "Flame" or "Flamer" return a bunch of reports and hype about so-called cyber weapons.

Espionage Weapon Flame, OMG!

It's almost as if folks in "some countries" don't know the difference between a "tool" and a "weapon".

Or maybe they do know the difference… but one word is much more useful than the other when it comes to their political agenda.


Monday, November 26, 2012

FP's Top 100, Number 78: Tor Posted by Sean @ 11:41 GMT

Foreign Policy magazine has published its annual 100 Top Global Thinkers list.

At #78: Roger Dingle, Nick Mathewson, Paul Syverson

Founders of the Tor Project.

FP's Top 100 2012, #78

Tor: something that "some governments" would like to block.

28c3: How governments have tried to block Tor


Friday, November 23, 2012

Google Joins World War 3.0 Posted by Sean @ 14:20 GMT

Back in October, we wrote about The ITU Telecom World 2012 conference in Dubai, a precursor to this December's World Conference on International Telecommunications (WCIT-12) which will review current International Telecommunication Regulations (ITRs).

Some, such as the folks at Protect Global Internet Freedom, are concerned actions take at WCIT-12 will change important aspects of Internet governance., World War 3.0

In other words, concerned the ITU will attempt to take control away from the geeks and give it to governments. (And then things get political — never a good engineering move.)

Thus entered Google into the fray this week with its "Take Action" campaign:

Google Take Action, World War 3.0

According to Google:

"Some governments want to use a closed-door meeting in December to increase censorship and regulate the Internet."

Some governments? Not EU governments.

Today the European Parliament passed a resolution that includes:

"The European Parliament"

"Believes that the ITU, or any other single, centralised international institution, is not the appropriate body to assert regulatory authority over either internet governance or internet traffic flows"

World War 3.0: to be continued…


Wednesday, November 21, 2012

Free Weev. Free Weev? Posted by Sean @ 13:22 GMT

Once upon a time there was an Internet troll…

I've been following the case of Mr. Andrew "Weev" Auernheimer for nearly two and a half years. And yesterday, he was found guilty of violating the USA's Computer Fraud and Abuse Act (CFAA). Caution: you may be in violation of the CFAA at this very moment! But more on that below.

So, just what did Andrew do?

Well, back in 2010 he and a buddy (Daniel Spitler) figured out that AT&T servers linked e-mail addresses related to 3G iPad accounts using the device ICC-ID. Ask the server for a particular ICC-ID, and if it was a registered 3G model, an e-mail address came back in the reply. So they wrote a script and systematically "slurped" 120,000 addresses. They then shared those addresses with Gawker.

It became headline news.

Eventually… the FBI got involved.

Now trolls being trolls, Andrew (and Gawker) attempted to make lots of hay out of the situation in a very loud and (IMHO) stupid way. I was quoted, and re-quoted, as saying the disclosure was completely irresponsible.

A position I later clarified and modified here: Gawker's Data Disclosure.

Daniel Spitler pleaded out of court to the criminal charges brought against the two. Andrew opted to go to court. And in the years since… the world shifted beneath his feet. In the summer of 2010, Weev was a hacker and an Internet troll. Annoying but ultimately, mostly harmless.

But thanks to Anonymous and LulzSec — hackers are now enemies of the state — and therefore, well, too bad for Andrew.

Is that fair?

Personally, I don't think so.

And does it makes any sense?

Robert David Graham doesn't seem to think so. You may be in violation of the CFAA! Remember that from above? Graham wrote an excellent post regarding the vagueness of the CFAA, which was written in 1986. Anybody could potentially be guilty of CFAA violations as the law is currently written.

It's easy to find "slurping" tools.

Does using this violate the CFAA?


Bottom line: Andrew is a troll and he did something stupid, and to be frank, irresponsible. But does he deserve up to ten years in Federal prison for slurping e-mail addresses that were never even made public? (He faces two consecutive five year terms.)

What do you think?

Does Andrew “Weev” Auernheimer deserve jail time?

Read more:

MIT Technology Review: Jail Looms for Man Who Revealed AT&T Leaked iPad User E-Mails
Wired: Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data



Tuesday, November 20, 2012

A New Linux Rootkit Posted by Sean @ 11:48 GMT

Details of a new Linux rootkit turned up on SecLists.Org's Full Disclosure Mailing List last week: linux rootkit in combination with nginx.


CrowdStrike has excellent analysis of it here: HTTP iframe Injecting Linux Rootkit.

CrowdStrike's key findings:

  •  The rootkit is generally crime related rather than a specialized targeted attack. It drives traffic to exploit kits.
  •  It appears to be new rather than a modified version of known rootkits.
  •  It is probably Russian in origin.

Our analysts are investigating the sample now.


Friday, November 16, 2012

Cool-er Than Blackhole? Posted by SecResponse @ 14:01 GMT

Exploit kits are still making rounds, nothing new there. But in addition to the popular Blackhole Exploit Kit, a new kid on the block emerges which has been dubbed as Cool Exploit Kit.

It's very interesting to see how these two actually fare against each other…

Lately, we're seeing that Blackhole updated to the latest PluginDetect version 0.7.9, which has already been used by Cool.

Blackhole plugin

We've also seen Blackhole exploit the font vulnerability (CVE-2011-3402) that Cool has been exploiting.

Blackhole font

It seems that Blackhole is also now exploiting the Java vulnerability CVE-2012-5076, another vulnerability being exploited by Cool. In addition to this, Blackhole is once again serving Flash exploits like it did in version 1.

Blackhole vercheck

Of course, Cool wouldn't want to be left behind as it performs similar checks to the same plugins and exploits the same vulnerabilities.

Cool vercheck

It may be just us, but the version checks by the two kits are very much alike. And when we checked out Cool's Flash exploits, we can't help but notice that it uses the same Flash filenames as seen from Blackhole version 1, which happen to exploit the same Flash vulnerabilities (CVE-2011-0559, CVE-2011-2110, CVE-2011-0611).

Cool Flash

As if that wasn't enough, other functions are pretty much similar as well.

Blackhole getcn

Cool getcn

So is Cool really better? With all these "differences", it appears that Cool and Blackhole are more than just a tiny bit related. And it wasn't only us that notices this, @kafeine mentioned in his post that there's a high chance that both kits have the same author.

Post by — Karmina and @TimoHirvonen


Thursday, November 15, 2012

Berlin Police: Beware Android Banking Trojans Posted by Sean @ 13:00 GMT

The Berlin Police Department issued a press release this past Tuesday about criminal complaints of fraudulent cash withdrawals. All of the cases involved SMS mTans and Android smartphones.

Pressemeldung #3628
Original; Google Translate

It sounds to us like a case of ZeuS in the Mobile (Zitmo), sometimes also called ZeuS Man in the Mobile (ZeuS Mitmo). We first wrote about Zitmo back in September 2010. An important thing to realize about Zitmo is that it isn't "mobile" malware as such. Rather, Zitmo is a companion/complement component to a Windows based ZeuS bot. Zitmo works with its Windows based ZeuS when the bank customer has SMS mTans as an additonal layer of authentication.

To counter the mTan layer of security, ZeuS bots will inject a "security notice" form during a banking session asking the customer for their phone model and number. The bad guys will then send an SMS link to a so called "security update", which is actually the Man in the Mobile component needed to circumvent the mTan.

There are plenty of ZeuS bots in the wild. For example, two months ago we wrote about Gameover, the P2P version of ZeuS. There are nearly 49,000 thousand German infections of just that one ZeuS-based botnet. Any number of those infections could become a target of Zitmo.

So what is the best defense against Zitmo? The Berlin Police Department recommends that citizens be skeptical of "security updates" claiming to come from ones bank and to defend your home computer.

Which includes, by the way, having an up to date antivirus service installed.


On a self-promotional note:

Threats such as Zitmo is just one of the reasons why we offer Internet Security + Mobile Security as a bundle.

And threats such as ZeuS is why our latest Internet Security feature is called Banking Protection which is designed to block men in the middle and form injection attacks.

All of your devices are connected, folks. Keep them safe.


TED Talks For Geeks Posted by Mikko @ 08:36 GMT

TED Talks have reached a major milestone: its videos have now been viewed more than One Billion times. That's a lot. There are around 1000 talks, so that's an average of million views per talk. Which checks out, as my own TED Talk from 2011 has passed million views combined on, YouTube and Netflix.

As part of the celebrations, TED created a new service: TED Playlists. Everybody can now create a playlist of their favorite talks. And to launch the service, they asked some friends of TED to curate their own favorite playlists.

The good folks at TED were kind enough to ask me to do one, together with the likes of Bill Gates, Bono, Barbara Streisand, Peter Gabriel and Ben Affleck.

Mikko TED

So, my playlist is available here. It's mostly talks by geeks, for geeks… but there's also one talk about fish.

Thanks TED.

Signing off,


Wednesday, November 14, 2012

New Variant of Mac Revir Found Posted by Brod @ 09:00 GMT

There are reports of a new variant of Mac malware. We are aware of the attack and our customers are already protected. It's a minor variant of Revir.C. For the payload, it's basically still the same Imuler variant we wrote about back in September. Most probably it was rebuilt in an effort to avoid detection. As usual, the attack is targeted at Tibetan rights activists.

Hopefully we didn't confuse you with our names. We detect the dropper component as Revir while the backdoor payload is called Imuler. This was because when we first discovered the family last year, we thought that the dropper might be customized to carry a different malware as payload. But so far, Revir and Imuler have always been used together.

We have updated our database since yesterday to detect the new variants.

Our descriptions are also now online. Please check them out for more details:

  •  Trojan-Dropper:OSX/Revir.D (MD5: 2d84bfbae1f1b7ab0fc1ca9dd372d35e)
  •  Backdoor:OSX/Imuler.B (MD5: 9ccc685f4d95403848ca24d9b8003b5b)


Tuesday, November 13, 2012

Q3 Mobile Threats in Play Posted by Sean @ 13:29 GMT

Our Q3 2012 Mobile Threat Report shows that we discovered more than 51,000 samples of Android malware during the third quarter.

Android Samples Q3, 2012

And we've been asked, how many of those were discovered in Google Play?

So here's a breakdown: there were 28,398 malicious samples, 146 came from Google Play; and there were 23,049 potentially unwanted software (PUA) samples, 13,639 came from Google Play.

Note: please remember that sample does not necessarily equal threat. Based on our detections, the number of "families" in the wild is actually down when compared to Q3 2011.

Q3MTR chart

The Android ecosystem is getting busy with plenty of "entrepreneurs" — but it is still far away from being the highly commoditized ecosystem that is Microsoft Windows.


Monday, November 12, 2012

Meet Timo and Karmina Posted by Sean @ 15:21 GMT

Two of our analysts have recently done guest posts for our Safe and Savvy blog.

Meet Timo: We Protect You: Timo Hirvonen, Anti-malware Analyst

Timo Hirvonen

And Karmina: An ounce of prevention: Anticipating online threats in F-Secure Labs

Karmina Aquino


Thursday, November 8, 2012

Tally of November's Vulnerabilities and a Zero-Day Posted by Sean @ 12:20 GMT

It's not yet the second Tuesday of the month — but already there are a good number of important updates that you should apply. And one significant zero-day of which you should be aware.

First up: Flash! Adobe released an important update on November 6th (details here) that corrects seven vulnerabilities.

Check your version here.

Flash 11.5.502.110

11.5.502.110 is the latest version depending on the browser. Do remember you don't need to have more plug-ins installed than you actually use. For example, Chrome includes its own version of Flash.

And speaking of Chrome, Google also released a security update on the 6th (details). That's a rather easy update, just check About (chrome://chrome/) to see that you're running version 23.0.1271.64.

Chrome 23.0.1271.64

Apple released updates for the Windows version of QuickTime on November 7th (details). QuickTime 7.7.3 includes 9 updates for vulnerabilities which appear to be exploitable in drive-by attacks. QuickTime is no longer required by iTunes. If you don't remember the last time it was used, ask yourself, do you really need to have QuickTime installed? (It's a very popular target.)

Speaking of popular targets…

Java! Be sure your Java Runtime client is up to date. (Check your version here.) Our single biggest detection based on upstream data is: Exploit:Java/Majava.A. Java Runtime is the number one target bar none.

And the second most common detection based on our upstream data is: Exploit:W32/CVE-2010-0188.B. An exploit for Adobe Reader, which you can see from the CVE number, dates back to 2010. So make sure you're running the latest version of Adobe Reader.

But even then, be aware there's an Adobe Reader zero-day vulnerability being reported by Group-IB.

The vulnerability is significant because it is able to exploit current, and up to date, versions of Adobe Reader. And is able to break out of Reader's sandbox to exploit the host computer.

Group-IB US: Zero-day vulnerability found in Adobe X

According to Group-IB, some high end versions of the Blackhole Exploit Kit are being sold. So the exploit isn't widely in use… yet. Consider mitigating your use of Reader if you have it installed.

Here's a YouTube video of the exploit in action.


Wednesday, November 7, 2012

A Presidential Visit to F-Secure Posted by Sean @ 16:53 GMT

The President of Estonia, Toomas Hendrik Ilves, paid us a visit last Friday.

The flags of Estonia and Finland

He was on a working visit, and afterwards, came to see Mikko whom he follows on Twitter.


And it was a very interesting conversation! President Ilves is very well versed in cyber security issues.

President Ilves and Mikko

Tallinn, Estonia hosts the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE).

Beside cyber security, Estonia is also well known for its innovative use of Internet technologies and President Ilves was recently named one of TechCrunch's 20 Most Innovative People In Democracy 2012.

Congratulations, sir. It is well earned.


Monday, November 5, 2012

Q3 2012 Mobile Threat Report is Out! Posted by ThreatSolutions @ 05:15 GMT

Our Mobile Threat Report is out, covering mobile threats found throughout the third quarter of 2012. 67 new families and variants of existing families were discovered, and some platforms that were previously enjoying quiet time (e.g. iOS, Windows Mobile) are now seeing their peace disturbed thanks to the multi-platform FinSpy trojan.

Q3MTR chart

More details are available in the full report. Grab your copy here [PDF].

Q3MTR cover