NEWS FROM THE LAB - December 2012


Friday, December 21, 2012

2012: #yearinreview, Part 3 Posted by Sean @ 10:50 GMT

Part 3 of our 2012: #yearinreview — October to December.

October 3, 2012

October 4, 2012

October 5, 2012

October 12, 2012

October 23, 2012

November 8, 2012

November 16, 2012

November 17, 2012

November 20, 2012

November 27, 2012

December 3, 2012

December 4, 2012

December 6, 2012

December 18, 2012

December 19, 2012

Which brings us to today, the last day in the office before a long Christmas break at F-Secure Labs. But just because this blog will be a bit quiet doesn't mean we're inactive. You can follow all of Mikko Hypponen's Tweets via:

Follow me, Sean Sullivan, via:

Here's an example of what I find to be of interest:

U.S. Senator Al Franken wants to ban "stalking" apps, which are often used to abuse women:

Marketplace Tech, Location Privacy

Location privacy is an important issue and the basis of our prediction that mobile spy software will go mainstream in 2013.

For excellent security and technology related news aggregation, follow:


And now for an end of year recommendation.

Check out the Risky Business security podcast's 2012 in review for a great compilation, with soundtrack, of Aussie Patrick Gray and Kiwi Adam Boileau's weekly news segments.


Finally, as you reflect back on the security issues of 2012, remember, don't panic.

Sometimes things just have a way of working themselves out.

Peace be with you,

2012: #yearinreview, Part 1
2012: #yearinreview, Part 2

Thursday, December 20, 2012

2012: #yearinreview, Part 2 Posted by Sean @ 07:59 GMT

Here's part 2 of our 2012: #yearinreview — July to September.

July 4, 2012

July 10, 2012

July 12, 2012

July 16, 2012

July 16, 2012

July 22, 2012

July 26, 2012

July 30, 2012

July 29, 2012

July 31, 2012

July 31, 2012

August 6, 2012

August 6, 2012

August 16, 2012

August 23, 2012

August 28, 2012

September 10, 2012

September 12, 2012

September 19, 2012

September 20, 2012

September 21, 2012

September 28, 2012

2012: #yearinreview, Part 1
2012: #yearinreview, Part 3

Wednesday, December 19, 2012

2012: #yearinreview, Part 1 Posted by Sean @ 10:12 GMT

2012: a year in which even Pope Benedict XVI started to Tweet his pontifications.

Like it or not, Twitter is the place where important conversations are happening.

And so we present to you our 2012: #yearinreview via @mikko's Tweets. Part 1 — January to June:

January 3, 2012

January 9, 2012

January 15, 2012

January 26, 2012

January 30, 2012

February 4, 2012

February 12, 2012

March 21, 2012

April 5, 2012

April 7, 2012

April 12, 2012

April 22, 2012

June 6, 2012

June 8, 2012

June 8, 2012

June 9, 2012

June 11, 2012

June 21, 2012

June 28, 2012

2012: #yearinreview, Part 2
2012: #yearinreview, Part 3

Friday, December 14, 2012

Joulupata Action Posted by Mikko @ 14:39 GMT

It's Christmas time! Time for charity!

In Finland, the most popular Christmas charity is run by the local salvation army. Their campaign is called Joulupata. And as you might expect, they have a website at

Earlier today, if you googled for "joulupata", the first search result looked unusual:


Looks dangerous. So let's visit the site with wget and set the http referer to so the site believes we arrived via Google.


/tds/in.cgi - this sounds like the Sutra TDS (Traffic Distribution System). This kit is often used to distribute malware and spam via hacked websites. In this case, there was no malware, just a redirect to a website called Replicavips.

If you would have visited the site without having as the referer, you would just end up on the unmodified frontpage.

And what's on Replicavips? It's a site where you can purchase counterfeit watches. Don't go there.


The TDS site has been blacklisted by F-Secure and relevant parties have been notified. Be careful out there.

Thanks to tpaavola for the tip.


Seven Predictions for 2013 Posted by Sean @ 12:44 GMT

2013 Forecast

1. The end of the Internet as we know it?

The World Conference on International Telecommunications (WCIT) was held by the International Telecommunication Union (ITU) to finalize changes to the International Telecommunications Regulations treaty (ITR).

In attendance were representatives of governments, and companies, from around the world, not all of whom are interested in Internet freedom. In the end, the United States announced that it could not sign the ITR treaty as generated by WCIT. Several other nations followed.

— Read more —

Foreign Policy: Official: U.S. won't sign Internet treaty
Ars Technica: Why the ITU is the wrong place to set Internet standards
.Nxt: Internet humbles UN telecoms agency Web under closer state watch appears to have a different take on the issue than does the Western media.

2. Leaks will reveal more government-sponsored espionage tools

Stuxnet, Flame, Gauss, et cetera — are they the tip of the iceberg?

A cyber arms race is well underway and while we may not always be aware of nation-states' covert cyber operations, we can expect that governments are more and more involved in such activity. In 2013, we'll most likely see more leaks that definitively demonstrate this, and from countries who haven't previously been seen as a source of attacks. As the arms race heats up, the odds of leaks increase.

3. Commoditization of mobile malware will increase

The Android operating system has solidified in a way that previous mobile operating systems haven't, extending from phones to tablets to TVs to specialized versions of tablets. The more ubiquitous it becomes, the easier to build malware on top of it and the more opportunities for criminals to innovate businesswise. Mobile malware will become more commoditized, with cybercriminals building toolkits that can be purchased and used by other criminals without real hacking skills. In other words, malware as a service, for Android.

4. Another malware outbreak will hit Macs

2011 saw scareware called Mac Defender, and in 2012 Flashback took advantage of flaws in Java. The Labs predict 2013 will bring another Mac malware outbreak that will have some success within the Mac community.

The author of the Flashback Trojan is still at large and is rumored to be working on something else. And while there have been smart security changes to the Mac OS, there's a segment of the Mac-using population who are basically oblivious to the threats facing Macs, making them vulnerable to a new malware outbreak.

5. Smart TVs will become a hacker target

Smart TVs are plugged into the Internet, they've got processing power, and since they typically aren't equipped with security, they're wide open to attacks. Adding to their vulnerability is that unlike home computers, many smart TVs are directly connected to the Internet without the buffer of a router, which deflects unsolicited traffic. Also, consumers often don't change the factory default username and password that have been set for web administration, giving easy access to hackers.

It's very easy for hackers to scan for smart TVs on the Internet. When found, they only need to use the default username and password, and they're in. 2012 already witnessed LightAidra, which infected set top boxes. 2013 could see smart TVs being used for such purposes as click fraud, Bitcoin mining, and DDoS attacks.

— Read more —

CERT-FI: Onko digi-tv-laitteesi bottiverkon orjakone?
CERT-FI: Digitv-virittimistäkin tavattu haittaohjelmia
Computerworld: Samsung TV vulnerability could let a hacker change the channel

6. Mobile spy software will go mainstream

2013 may see a rise in popularity of tracking software, and not just for parental control purposes. There has already been growth in child safety apps that monitor kids' activities, for example, their Facebook behavior. Of course this kind of software can also be used to spy on anyone, not just kids. The more smartphones there are, the more people will be seeking out software like this – to find out what their spouses are up to, for example.

7. Free tablets will be offered to prime content customers

Tablets and e-readers are all the rage, and more and more often in closed ecosystems such as the iPad with iTunes or the Kindle with Amazon. As the Kindle price keeps dropping, the Labs predict that 2013 may bring a free e-reader or tablet for prime customers of companies who charge for content, like Amazon or Barnes & Noble. Closed ecosystems are more secure, but then you have to trust the provider to protect your privacy.

So what's good for security may not be great for your privacy.

Also, Amazon recently announced flat-fee plans for unlimited children's content and games. As more dedicated, and closed, devices are available, more and more parents will opt to restrict their children's usage of Windows-based computers, and that will affect their parental control software needs.


Wednesday, December 12, 2012

How to Rob a Bank in the 21st Century Posted by Sean @ 14:59 GMT

Here's a handy "how to" guide (in graphic form) which you can use to explain how cybercriminals steal from bank accounts.

All done in just five easy steps:

How to Rob a Bank in the 21st Century

Download a PDF version PDF here (4.20MB).


Tuesday, December 11, 2012

Video: Mikko's Wired 2012 Presentation Posted by Sean @ 14:50 GMT

Mikko recently spoke at Wired 2012, a conference in London, on the topic of cyberwarfare and the developing digital arms race.

A video of Mikko's presentation is now available on Wired UK's YouTube channel.


Monday, December 10, 2012

Australian Medical Records Encrypted, Held Ransom Posted by Sean @ 10:05 GMT

According to the Australian Broadcasting Corporation (ABC), a server belonging to a small medical business located in Australia's Gold Coast has been hacked, had its patient records encrypted, and held ransom for $4000.

Miami Family Medical Centre
Image source: Google

The Australian edition of SC Magazine reported on similar hacks earlier this year.

This strikes us as an interesting development as most of the ransomware we've seen during 2012 has been focused on locking out individuals from their desktops. (See the ransomware section of our H1 Threat Report.)

There have been numerous "hacktivist" driven breaches during 2012. (Including ones involving sensitive medical records.) It really is not much of a surprise, or it shouldn't be, that some criminals have developed ways to profit from the same sort of hacker activity. Is this the beginning of a trend which we'll see outside of Oz in 2013?


Wednesday, December 5, 2012

Finnish Website Attack via Rogue Ad Posted by Sean @ 12:46 GMT

Finland has a rather small population in which F-Secure has a relatively large market share. (Natch.) And every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory.

Here's a graph of malware detections (as in preventions) that occurred in Finland from November 24th to November 27th.

Finland cloud statistics, Nov.24-Nov.27

And this is a graph of the same from December 1st to December 4th.

Finland cloud statistcs, Dec.1-Dec.4

Why is there such a dramatic difference?

An advertising network used by one of Finland's most popular websites,, was compromised during the December time period. And according to Suomi24, all of that malware traffic was pushed by a single ad from a third-party advertiser's network.

Just one ad.

This is what our customers using our Browsing Protection feature would have seen:

F-Secure Browsing Protection block

And if the site blocking wasn't enabled, this is the antivirus notification:

F-Secure antivirus block

What was blocked? — Rogue Antivirus. As in fake security software.

Here's one version:

Fake Microsoft Security Essentials scan

And here's another:

Rogue's fake scan

These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front.

Rogue asking for payment

Payment up front? That's generally a good sign there's something amiss.


Tuesday, December 4, 2012

Shylock Likes Smart Cards Posted by Sean @ 15:27 GMT

Do you ever use your laptop's Smart Card reader? You don't? Yeah, we didn't think so.

(Half of you reading this probably didn't even realize it had one to begin with.)

Windows users: open your Control Panel, go to Administrative Tools, Services — and stop the Smart Card service. Adjust the startup type to prevent it from starting up with the system.

Smart Card Properties

All done? Good.

Now you're not wasting resources on an unused service and as a bonus — a malware called Shylock will no longer infect your system.

Why's that?

Because upon execution, Shylock checks for the Smart Card service and if it isn't present, it quits.

Shylock Smart Card check
Shylock 1

And that's not all. Marko from our Threat Research team found that it also checks for memory and hard drive space.

Here's the memory check:

Shylock memory check
Shylock 2

At least 256MB is required:

Shylock memory check
Shylock 3

And the hard drive related checks:

Shylock logical drives check
Shylock 4

Shylock drives check
Shylock 5

And as you can see from the "Shylock 3" image, the combined drive space must be equal to at least 12GB.

Now you might be asking yourself, why is Shylock so particular?

The most likely answer is it's an attempt to avoid being debugged by antivirus vendors, which typically use virtual environments for research. And such virtual environments don't always include things such as virtual Smart Card readers. But then again… sometimes they do.

Better luck next time, Shylock.

SHA1: 386ccfc028ac4986def3954cfce8af541330fa36


Monday, December 3, 2012

New Mac Malware Found on Dalai Lama Related Website Posted by Sean @ 11:08 GMT

Acting on a tip, a member of our Threat Research team (Brod) has discovered a Dalai Lama related website is compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit.

Page source from --jar

Here's a screenshot of from Google's cache:, cached image

Note: Google's November 27th snapshot also includes a link to the malicious exploit (so don't visit).

The gyalwarinpoche site doesn't seem to be as "official" as

But it's been around since 2009/2010 and the name is the same as the Dalai Lama's YouTube channel.

And the Whois information is similar:



The Java-based exploit uses the same vulnerability as "Flashback", CVE-2012-0507. Current versions of Mac OS X and those with their browser's Java plugin disabled should be safe from the exploit. The malware dropped, Backdoor:OSX/Dockster.A, is a basic backdoor with file download and keylogger capabilities.

This is not the first time has been compromised and it certainly isn't the first time Tibetan related NGOs have been targeted. Read more here and here.

There is also an exploit, CVE-2012-4681, with a Windows-based payload: Trojan.Agent.AXMO.

MD5 info:

Exploit:Java/CVE-2012-0507.A — 5415777DB44C8D808EE3A9AF94D2A4A7
Backdoor:OSX/Dockster.A — c6ca5071907a9b6e34e1c99413dcd142
Exploit:Java/CVE-2012-4681.H — 44a67e980f49e9e2bed97ece130f8592
Trojan.Agent.AXMO — c3432c1bbdf17ebaf1e10392cf630847