NEWS FROM THE LAB - November 2013


Thursday, November 28, 2013

Bitcoin Fraud Gets Connected Posted by Mikko @ 08:19 GMT

Bitcoin $1000

Bitcoin, and other digital currencies such as Litecoin and Peercoin, will change the way we exchange money. But they come with a major flaw: they can also be used to turn infected computers into devices that "print" money.

The beauty of the algorithm behind Bitcoin is that it solves two main challenges for cryptocurrencies - confirming transactions and generating money without causing inflation - by joining them together. Confirmations are given by other members of the peer-to-peer network, who in return are given new Bitcoins for their labour. The whole process is known as "mining".

When Bitcoin was young, mining was easy. You could earn Bitcoins by mining on a home computer. However, as the currency's value grew (from $8 to $1000 during 2013) - more people applied to do it, and, in response, mining became (mathematically) harder and required more powerful computers. Unfortunately, those computers don't have to be your own. Some of the largest botnets run by online criminals today are monetized by mining. Any infected home computer could be mining Bitcoins for a cybercrime gang.

Using botnets to mine is big business. The second-largest botnet in the world, ZeroAccess made tens of thousands of dollars a day by using the infected machines to mine for cryptocurrencies. This is especially effective when the infected machines have a high-end GPU chip on its video card.

Mining botnets such as these do not require a human user - just processing power and a network connection. The internet of things will bring millions more connected computers on to the web, embedded in devices such as cars and rubbish bins. And not all of them will have to have as high a spec as even a Windows PC to mine money: Litecoin, for example, uses more memory-intensive algorithms that can be run on a regular CPU rather than on high-end GPUs.

The mythical internet-connected fridge may at last have found an - admittedly criminal - reason to exist.

Mikko Hypponen
Originally published in Wired UK 12/2013


Friday, November 22, 2013

CryptoLocker: Your "Order" is Being Processed Posted by Sean @ 13:01 GMT

Today we uploaded a CryptoLocker encrypted file to its "Decryption Service".

We were promptly provided our Order ID:

CryptoLocker Decryption Service, Search in Progress, By using this service, you can purchase private key and decrypter for files encrypted by CryptoLocker.

We've read that a public/private key pair match can take up to 24 hours. But ours was found in under one.

CryptoLocker Decryption Service, Key Pair Found

Because our encrypted file was created today, the price of the private key is 0.5 BTC. Note the price will change to 4 BTC on Tuesday (after 72 hours have passed).

At the time of this post, that's equal to approximately 3,000 USD or 2,200 EUR.


Thursday, November 21, 2013

CryptoLocker: Pac-Man Fever Posted by Sean @ 17:31 GMT

Two things about CryptoLocker.

1. The price of Bitcoin has been wildly volatile lately. And that type of commodity volatility affects Bitcoin's ability to act as a currency because prices are quickly driven out of whack. Even for ransomware such as CryptoLocker.

Here's a screenshot from a November 20th variant:

CryptoLocker 2013.11.20, Bitcoin

The price of decryption is now 0.5 BTC.

CryptoLocker 2013.11.20, Send coins to…

Just a few weeks ago, the going rate was two Bitcoin.

2. This is the wallpaper CryptoLocker sets:

CryptoLocker 2013.11.20, Download

While the text shown above notes the destruction of "your private key" — it isn't actually destroyed.

The site from which CryptoLocker can be downloaded also offers a "Decryption Service" that can be accessed after the countdown. (But you'll have to pay more.) Because the service isn't tied to a particular computer, a file must be uploaded in order for the service to match it with a key.

CryptoLocker Decryption Service

Uploading a file includes "Pac-Man" animation while you wait:

CryptoLocker, Pacman

Somebody likes classic video games…


Wednesday, November 20, 2013

CryptoLocker: Please Kindly Find Our New PO Posted by Sean @ 11:56 GMT

Yesterday's CryptoLocker post mentioned that it's spreading via spam. It's actually a spam campaign that installs an intermediary, and then CryptoLocker is installed. But in any case, the first link in the chain that results in a CryptoLocker infection is spam.

And here's a fresh example of the message being used: "Please kindly find our new PO per attachment. Could you provide your PI for confirmation. Our Order file is password protected and can be opened/accessed with password: TRADING"

CryptoLocker, Spam
Image source: @davidmacdougall

The company from which the message claims to be from (blurred in the example above) is of course an innocent bystander whose good name is being abused as part of this scheme.

Note that the attachments are password protected. This allows the threat to bypass gateway security measures. If you're an information security manager, don't take it for granted that the people in your organization know not to open attachments.


Tuesday, November 19, 2013

CryptoLocker: Better Back Up Your Stuff Posted by Sean @ 19:34 GMT

If you haven't heard much about "CryptoLocker" yet… you will.

Unlike much of the ransomware we've written about in the past, CryptoLocker doesn't attempt to use police themed trickery or other sleight of hand. It's strictly business. It infects via e-mail attachments (zip files containing supposed PDF files) and then sets about encrypting all of your personal data files — photos, music, documents, et cetera.

And then… you have three days to pay the ransom. Or else.

CryptoLocker is trending in the US:

US-CERT Alert (TA13-309A)

And in the UK:

Mass ransomware spamming event targeting UK computer users

It's largely a problem in English-speaking countries because that's the language used in the e-mail bait. For now. It's certainly only a matter of time because somebody decides to expand into other languages.

And here's the kicker. One of the ways in which you can pay? Bitcoin.

Cryptolocker, Bitcoin
Source: Microsoft

That's right, CryptoLocker accepts everybody's favorite cryptocurrency as payment. And that's why this could be a tipping point. One of the biggest factors keeping ransomware at bay is the difficulty it takes to get paid. Thanks to Bitcoin and other similar digital currencies… that barrier is eroding fast.

Ransomware economics: the more frictionless Bitcoin becomes — the more prevalent CryptoLocker will become.

Backup your stuff.


Thursday, November 14, 2013

Don't Do Business With These Companies Posted by Mikko @ 19:26 GMT

What do Inteqno, Altran Strategies, Deticaconsulting and Nezux have in common?





Well, first of all, they are all one and the same. Or actually, none of them are real companies at all. They are phony online shells run by online criminals. They only serve one purpose: to make it appear that these companies are legitimate, that they really exists and that they have a history. These are needed so they have enough credibility to try to hire people.

So what kind of people are phony companies hiring? Specifically, they are hiring money mules (definition). Of course, these companies don't label positions as "money mules", they call the job position "Customer Assistant" or "Operations Assistant"


These companies post job offers on sites like Linkedin and send them out via direct emails.

Sites involved with money mule scams used to be very easy to tell at first glance. No Google history. WHOIS data hidden with Privacy Protect. Site content lifted directly from a real company. Robots.txt preventing site indexing. None of those are true for these sites. Nevertheless, avoid them like plague.


Thursday, November 7, 2013

New Release of Our Free Android Permissions Dashboard Posted by Sean @ 17:55 GMT

F-Secure App Permissions, our Android permissions dashboard, launched on November 1st. And in just under one week, there are thousands of installs and extremely positive feedback. Thank you! The developers are very pleased and have been busy implementing some additional features based on the input. Today they released version 1.2.5.

Here's what's new:

What's New

Some screen shots of the app:

App Permissions 1.2.5 App Permissions 1.2.5

App Permissions 1.2.5 App Permissions 1.2.5

Best of all — App Permissions requires ZERO permissions.

It's totally free, small, and easy to use.

You'll find it on Google Play: F-Secure App Permissions.

Please give it a try, and for those of you who already have, additional feedback is very welcome. Cheers!

P.S. We'll discuss more about App Permissions during tomorrow's webcast.


DeepGuard 5 vs. the CVE-2013-3906 Zero-Day Exploit Posted by SecResponse @ 13:46 GMT

On Wednesday, we noted a zero-day vulnerability in the Microsoft Graphics component. The vulnerability is being actively exploited in targeted attacks using Word documents.

Long story short, here's a video of the exploit losing to our Internet Security:

DeepGuard 5 vs. Microsoft Graphic Component Zero-Day Exploit CVE-2013-3906

The Word document in the video has been used in real attacks and is one of the exploits analyzed by McAfee and Alient Vault. The attack has been recreated on an isolated test network with a vulnerable system running Office 2007 on 64-bit Windows 7. As the video demonstrates, the exploit interception feature in DeepGuard 5 (our behavioral engine) prevents the system from getting infected.

Moreover, DeepGuard would have proactively protected our customers from this zero-day exploit already prior to the Microsoft advisory and without us ever having seen the first samples.

Furthermore, we did not need to add or modify any DeepGuard detections — it blocked the current zero-day with the same set of detection rules as the previous Microsoft zero-day about a month ago.

That is the power of proactive, behavior-based exploit protection.

Post by — Timo*

*Editor's note: Timo is a Senior Researcher and our (justifiably) proud DeepGuard service owner. Kudos, Timo!


Wednesday, November 6, 2013

F-Secure Corporation's Answer to Bits of Freedom Posted by Mikko @ 21:09 GMT

We received a letter sent by Bits of Freedom and signed by 25 different parties, who were interested in our policy on the use of our software for the purpose of state surveillance. The same letter was sent to 15 other antivirus companies.


They had four questions in particular:

1. Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?

2. Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you
were supposed to allow this use?

3. Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government?

4. Could you clarify how you would respond to such a request in the future?

(See here for the full letter.)

Here's our official answer, mailed back to Bits of Freedom on the 1st of November:

Letter to

Reference: Policy on Detecting Government Spy Programs


Mobile Security Webcast: 8.11 17.00 EET Posted by Sean @ 16:41 GMT

It's a good thing that I follow @FSecure's Twitter account, because apparently I'm doing a webcast with Mikko on Friday.

Mobile security is the topic of discussion.

Mobile Threat Report Q3

I vaguely remember agreeing to it based on Mikko's schedule. And November 8th fit his busy travel schedule.

This is how I normally track his whereabouts:

Moscow, Paris, Berlin

Or else I receive prank texts:

Greetings from Moscow

Not really (mostly).

Anyway, please join us on Friday, details here:

  •  Mobile Threat Report with F-Secure Labs

And if you're American (like me) and "8.11 17.00 EET" just looks like a bunch of random numbers strung together…

that's November 8, 2013 at 5:00 PM (in Helsinki) which is 10:00 AM on the East Coast of North America.

Post by — @Sean


Microsoft Security Advisory (2896666) #APT Posted by Sean @ 16:04 GMT

On Monday, we wrote about motivated attackers. And yesterday, Microsoft issued a Security Advisory about a vulnerability which is being exploited "largely in the Middle East and South Asia."

Microsoft Security Advisory (2896666)

Microsoft Support has a Fix it tool (Microsoft Fix it 51004) available.

This is the list of affected software:

Affected Software

Though, there appears to be some questions about that list.

We recommend InfoWorld's article:

  •  Deciphering Microsoft Security Advisory 2896666 on Word zero-day exploit


Tuesday, November 5, 2013

Facebook Name Search Changes Posted by Sean @ 13:49 GMT

Facebook is changing a privacy setting. Shocking, right? Anyway, the setting is not used by most people and is called: who can look up your timeline by name. Here's the justification from Facebook:

This is either a big deal or not, and that may have to do a lot with your name.

For some of us, the signal to noise ratio already provides a relatively anonymous experience.

While for others…

Probably the key reason that Mikko doesn't really use Facebook.

Some folks (mostly women from what we've seen) even tweak their names just a bit, so they'll be unsearchable.

Whatever your privacy tactics, if you have a Facebook account, now is a good time to review the settings at We recommend turning off: Do you want other search engines to link to your timeline?

Updated to add: By the way, do you know somebody who needs some privacy settings advice?

Refer them to our Facebook app: F-Secure Safe Profile.


Monday, November 4, 2013

Why Motivated Attackers Often Get What They Want Posted by Antti @ 11:07 GMT

Do you work for a company possessing information which could be of financial value to people outside the organization? Or, perhaps even a foreign state would find it useful to gain access to the documents you're storing on that shared network drive? Yes? Then congratulations, you may already be the target of a persistent and motivated attacker (who sometimes, but rarely, is also advanced).

According to this CERT-FI presentation, even Finland has seen nearly a decade of these attacks. Nowadays, they're everywhere.

A good targeted attack case example is the one made against RSA in 2011, which our own Timo Hirvonen analyzed. This post tells the whole story of Timo looking for the original source of the infection in RSA's network, which he eventually found:

RSA 2011 email

RSA was breached with a document sent as an e-mail attachment to an employee. The document contained an embedded exploit that infected the employee's computer, which gave the attacker the foothold needed to infiltrate. From that computer, they moved on to compromising the rest of the network.

Timo found the document from the files we receive via Virustotal, which is an online service where you can submit files to be scanned with several antivirus engines. The user gets to see the scanning results, thus the likelihood of maliciousness, and the file is sent to antivirus companies for further analysis. Virustotal sees hundreds of thousands of files submitted every day.

We spend a lot of effort analyzing the files submitted through Virustotal, as we want to make sure we detect anything malicious. In addition to the day-to-day malware, we also analyze the exploit documents that suspicious users submit for scanning.

APT animation

All these documents contained exploit code that would have automatically installed malware onto a user's computer had they opened them with a vulnerable document reader. They give us a small glimpse into the targets as well: who are the people that would expect to receive attachments like this?

In our latest Threat Report, Jarno Niemelä took a set these documents, extracted all the text from them and built word clouds.

Word clouds

The word cloud on the left is from documents we categorized as being political in theme. The one on the right is from documents we felt were corporate-themed. The clouds give you a hint of what kind of sectors are interesting to attackers.

The same tricks won't work forever, though. If you send enough e-mails with exploit attachments your targets will learn and adapt. And so we've seen new tricks in the form of "watering hole" attacks. Here's how they work: the attacker finds a website that he thinks his targets would be likely to visit. If you want to target software companies such as Twitter, Facebook or Apple, perhaps you choose a mobile development website. If you are going after government agencies, you might drop a zero-day exploit for IE8 on the US Department of Labor website. Then you simply wait for your targets to visit the site and get infected.

And then there's the good old trick with USB drives.

Russia USB G20

We don't have any information to confirm the news that the USB drives given to G20 leaders actually contained malware. If it's true, at least you can't blame the attackers for lack of optimism.

So, defending is simple: don't open e-mail attachments from your colleagues, don't browse the Internet and leave those USB drives alone. In reality, you of course have to remember many other things too. Defending against a motivated attacker is very, very difficult. You have to get everything right, every single day, while the attacker just has to find one mistake you made. The bad guys have it too easy and that's why so many of the organizations out there are under attack.

P.S. For some tips to protect against attacks like this, see the presentation Jarno Niemelä gave at Virus Bulletin this fall.


Friday, November 1, 2013

Scary Copycat Apps on Google Play Posted by Sean @ 14:15 GMT

All Hallows' Eve was yesterday — a.k.a. Halloween. And so naturally, there's an app for that. Or many apps as the case may be.

Here's a series of apps designed to "scare your friends".

Scare your friends

This one has more than 10 million downloads.

Scare your friends

Even these copycats have several hundred thousand downloads.

Scare your friends Scare your friends

Android doesn't really help differentiate between them.

Scare your friends

But if we use our permissions dashboard (App Permissions in Google Play) then we can see some big differences.

Scare your friends Scare your friends

The most popular app only wants three permissions while the copycats want 21! And worse yet, those permissions include the ability to see your personal information. That's what the copycat apps are after — your personal details.


Given that the "legit" version of the app is "borrowing" images from Hollywood films… there's nobody with an incentive to police the copycats. And Google, an advertising company, doesn't appear to have much incentive to police them either.

And so several hundred thousand people shared their personal details.

Scare you friends, indeed.


Analysis provided by — Jose