NEWS FROM THE LAB - December 2014


Wednesday, December 31, 2014

False Positive: Exploit:JS/HuanJuanEK.A Posted by Antti @ 23:46 GMT

We've just fixed a false positive that detected content from many clean websites as Exploit:JS/HuanJuanEK.A.

The database that contained the false positive prone detection was F-Secure Hydra 2014-12-31_02. A fix is included in F-Secure Hydra 2015-01-01_01, which is already published. This false positive only affected our Web Traffic Scanning feature which scans content downloaded from websites. If you are still seeing the detection, you can check if you've received the latest update:

Hydra update

Our apologies for any trouble. And, despite of this, Happy New Year to everyone!

-- Antti


Friday, December 19, 2014

Who do you trust? Posted by Sean @ 13:26 GMT

Normally when we post a video, it's of somebody that you know quite well (Mikko). But today… we'd like to post a video of somebody that you might not know and who speaks highly of us (here in the Labs). The feeling is mutual.

Who? Our CEO, Christian Fredrikson.

From his first day at F-Secure, he's come across as the kind of guy who would be the last person off the boat (or die trying).

Below is a presentation he gave two weeks ago to a group in Helsinki in which he asks: Who do you trust?

Christian Fredrikson
Trusted cloud services a key for European success

From our point of view — he's another good example of why you can trust F-Secure.


Friday, December 12, 2014

OphionLocker: Joining in the Ransomware Race Posted by Patricia @ 16:25 GMT

Last August, we wrote about a series of ransomware that included SynoLocker and CryptoWall. In our Cryptowall post, we briefly mentioned the more advanced family of ransomware, CTB-Locker, which uses elliptic curve cryptography for file encryption and Tor for communication with the command & control server.

This week, another ransomware emerged using the same cryptography for encryption. It was first spotted by
Trojan7Malware from a malvertising campaign that used RIG exploit kit. They dubbed the malware as OphionLocker.

Upon infection, this malware uses a
Tor2web URL for giving instructions on how to send the payment and obtain the decrpytor tool.

This ransomware encrypts files with the following extensions:

extensions (8k image)

Here is the message that will be shown to the user after encryption:

ransom_pop (14k image)

Multiple text files with the format ENCRYPTED[..].txt will be created, which contains the generated Hardware ID for the victim's machine.

tor_hwid_instruction2 (20k image)

Entering the HWID will display the ransom message that asks for 1 BTC.

ransom_page2 (32k image)

If, however, the infection happens on a virtual environment, OphionLocker has a slightly different trick. Though it still gives you a HWID, the message shown does not ask for a ransom payment.

fake_ransom (41k image)

It gives the decryptor for free! Now, we know that sounds too good to be true, yet we still have to try it out. Just in case they're nice to security researchers.

Testing the decryptor will show the following message:

decryptor_message (9k image)

Upon clicking "OK", it will immediately pop another message:

decryptor_message2 (6k image)

But unfortunately, no files were decrypted.

SHA1: eb78b7079fabecbec01a23c006227246e78126ab (ransomware) - Trojan:W32/Ransomware.D


Thursday, December 11, 2014

Archie and Astrum: New Players in the Exploit Kit Market Posted by Patricia @ 12:34 GMT

Exploit kits continue to be a critical tool for the propagation of crimeware. New exploit kits have appeared this year, and this post will discuss two of them — Archie and Astrum.

Archie EK was first described in August as a basic exploit kit, as it uses exploit modules copied from the Metasploit Framework.

We detect the exploits used by Archie EK, and so upon review of our telemetry, we can see the kit made its first appearance during the first week of July. It has remained active since then.

Archie hits, Jul to Dec

From July, we've seen hits of CVE-2014-0515 (Flash) exploit with Archie EK traffic, and then in the following month, we noticed detections of CVE-2014-0497 (Flash), CVE-2013-0074 (Silverlight), and CVE-2013-2551 (Internet Explorer) exploits. By November, Kafeine spotted new Flash vulnerability CVE-2014-0569 and IE vulnerability CVE-2014-6332 integrated in this exploit kit, which has also been evident from our upstream.

Archie vulnerability hits

We detect exploits used by Archie EK as:

  •  Exploit:HTML/CVE-2013-2551.B
  •  Exploit:JS/ArchieEK.A
  •  Exploit:JS/ArchieEK.B
  •  Exploit:MSIL/CVE-2013-0074.E
  •  Exploit:SWF/CVE-2014-0515.C
  •  Exploit:SWF/CVE-2014-0569.A
  •  Exploit:SWF/Salama.D

Just like other exploit kits, this kit has evolved over the months, not only in the vulnerability support but also its landing page. The early samples of Archie we encountered used straightforward filenames and variable names such as "pluginDet.js" and "payload".

Below is a code snippet of the earlier landing page:

Archie Flash payload

However, during November, we started to see new samples with slight modifications attempting to add some obfuscation. It is now using random looking strings instead of simple descriptive variable names. Below is a code snippet of a recent landing page sample.

archie_flash_payload_v2 (28k image)

It also includes checks for Antivirus and VMware files that was not in the early versions:

archie_AVandVMcheck (46k image)

We detect these landing pages as Exploit:JS/ArchieEK.A and Exploit:JS/ArchieEK.B.

The URL patterns of Archie were also simple and used descriptive filenames in its traffic such as below:

  •  http://144. 76.36.67/flashhigh.swf
  •  http://144. 76.36.67/flashlow.swf
  •  http://144. 76.36.67/ie8910.html
  •  http://144. 76.36.67/silverapp1.xap

But recently, we've observed a different pattern that uses a SHA256 string for the filenames:

  •  http://31. 184.194.99/0d495794f41827de0f8679412e1823c8
  •  http://31. 184.194.99/cd8e0a126d3c528fce042dfb7f0f725055a04712d171ad0f94f94d5173cd90d2.html
  •  http://31. 184.194.99/9edcdf010cd9204e740b7661e46c303180e2d674417193cc6cbadc861fdf508a.swf
  •  http://31. 184.194.99/e7e8ed993b30ab4d21dd13a6b4dd7367308b8b329fcc9abb47795925b3b8f9d0.swf

Below are reported IP addresses from our upstream where this kit is hosted:

Archie IP table

From our telemetry, the most affected countries are the United States and Canada.

Archie, country hits

The common payload of Archie EK is a Trojan Clicker. Below are example hashes this kit delivered based on our upstream, and we detect them as follows:

  •  8b29dc79dfd0bcfb22e8954c65066be508bb1529 - Gen:Variant.Graftor.152508
  •  1850a174582c8b1c31dfcbe1ff53ebb67d8bde0d - Gen:Trojan.Heur.PT.fy4@bOYsAwl
  •  2150d6762db6ec98e92bb009b3bdacb9a640df04 - Generic.Malware.SFdld!!.8499435C
  •  5a89a48fa8ef92d1a4b31ee20f3f630e73c1c6c2 - Generic.Malware.SFdld!!.294B1B47

Astrum EK is another new player in the exploit kit market this year. It was first reported by Kafeine in September, and was found to be one of the kits the Reveton gang has started to use.

Initially, it has support for the following vulnerabilities: CVE-2014-0515/CVE-2013-0634 (Flash), CVE-2013-0074/CVE-2013-3896 (Silverlight), CVE-2013-2551/CVE-2014-0322 (Internet Explorer), and CVE-2010-0188 (Adobe Reader). In October, Kafeine spotted that Astrum EK is exploiting CVE-2014-8439, a Flash vulnerability that we discovered together with Kafeine.

Astrum vulnerability support

Being one of the new players in the exploit kit market this year, it has also been evident in our telemetry and continues its activity up to now.

Astrum hitcount

Unlike Archie exploit kit, Astrum uses a lot of obfuscation in its landing page. Below are code snippets of two landing pages that are basically the same, but the second one having added garbage comments and spaces in between codes to add more obfuscation to avoid detection:

Astrum landing page codesnippet

Astrum landing page codesnippet 2

As has also been described by Kafeine, deobfuscated code shows checking of analyst tools and Kaspersky's plugin:

Astrum tools check

Astrum, Kaspersky plugin

We detect the landing pages as Exploit:JS/AstrumEK.A and Exploit:JS/AstrumEK.B.

Astrum has an identifiable URL pattern such as below:

  •  http://ad7. […]
  •  http://adv2. […]
  •  http://pic2. […]
  •  http://pic2. […]
  •  http://cdn-net4. […]
  •  http://cdn-net8[…]

Below are reported IP addresses where Astrum EK is hosted:

Astrum IP table

Based on our telemetry, we have hits of Astrum EK from the countries below:

Astrum country hits

Archie and Astrum are only two of the new ones. There are also other new kits such as Rig, Null Hole, and Niteris (CottonCastle), and other exploit kits continue to rise and evolve such as Angler, Nuclear, Neutrino, FlashEK, Fiesta, SweetOrange, and others.

One notable characteristic with these exploit kits is that checking of Antivirus files, VMware files and other analyst tools are now becoming common. Other exploit kits, such as Nuclear and Angler, have also integrated these checks to avoid being analyzed by malware researchers. You can read more about that from Kafeine's blog.


Mysterious Turla Linux Backdoor Also For Solaris? Posted by FSLabs @ 11:06 GMT

There have been numerous reports about the mysterious Linux backdoor connected to Turla, an APT family. The malware has some pretty interesting features, the most interesting being its ability to sniff the network interface. More specifically, it can configure its C&C address from the network traffic. This allows the backdoor to sit silently in the network and activate with a specially crafted packet sent by the attackers.

When activated, the backdoor tries to connect to specified C&C. The C&C server can then instruct the backdoor with typical RAT features such as downloading, uploading, file listing, execution, etc.

Initial investigation showed that aside from the network sniffing, this malware behaves like a typical remote access trojan.

However, after checking further, we noticed something special about the environment set for file execution command:


linux_solaris_turla2 (99k image)
Environment set for a temporary file execution

This isn't at all typical for a Linux environment. As a matter of fact, it fits more for a Solaris environment:

/usr/openwin - Solaris OpenWindows location
/usr/ccs - C Compilation System of Solaris Studio
/usr/ucb - Solaris BSD compatibility directory
/usr/dt - Solaris CDE (Common Desktop Environment) installation location

This raises a question on whether this backdoor was originally targeting Solaris platform. There's nothing in the code and statically-linked libraries that would make this especially difficult to port, so we wouldn't be surprised to find out this malware is also on Solaris boxes in the following days.

Post by — Jarkko


Wednesday, December 10, 2014

White Papers: W32 & W64/Regin, Stage #1 Posted by Sean @ 12:34 GMT

Now available: white papers on Regin's stage 1 components.

Senior Researcher Paolo Palumbo has been busy since November 23rd converting his Regin notes into white papers.

These are meant be to a contribution for those who are inspecting their own systems and configurations. The papers provide analysis of the components that most people will run into first if Regin is present, and hopefully this will help identify future versions.

Malware Analysis Report: W32/Regin, Stage #1

Malware Analysis Report: W64/Regin, Stage #1


Tuesday, December 9, 2014

Hackerstrip Posted by Mikko @ 13:36 GMT

Hackerstrip is an online cartoon that features real Hackers like Xylitol, Charlie Miller and Chris Valasek. Their tagline is "Real Stories - Real Hackers".


Hackerstrip was started by Ravi Kiran. The team includes Larry Suto and SantaPlix.

Hackerstrip is now doing a crowdfunding at Indiegogo. Some of our readers might be interested in participating.

The crowdfunding has less than 24 hours to go, so hurry up!


Monday, December 8, 2014

The Internet is on Fire Posted by Mikko @ 09:42 GMT

The Internet is on Fire - TEDxBrussels

I spoke at the TEDxBrussels event last week, and the video is now available. This was the third time I spoke at TEDxBrussels. You can find the previous talks from here and here.

In the talk I cover recent examples on how we are increasingly living an aquarium life as more and more of our everyday tasks can be monitored.

I've received some questions about the slide setup I was using. The slides were projected in a native resolution of 3456 x 1080 with PowerPoint set to a customer aspect ratio of 29:9 (instead of the usual 16:9 or 4:3). The projection was done from a Windows computer connected to two overlapping projectors.

The Internet is on Fire - TEDxBrussels



Thursday, December 4, 2014

Who hacked Sony Pictures Entertainment and why? Posted by Sean @ 16:36 GMT

If you haven't kept up with the news about Sony Pictures Entertainment's breach, you really should catch up. Now. It's fast becoming the worst hack any company has ever publicly suffered.

Reuters: Exclusive: FBI warns of 'destructive' malware in wake of Sony attack
Krebs on Security: Sony Breach May Have Exposed Employee Healthcare, Salary Data
BuzzFeed: A Look Through The Sony Pictures Data Hack: This Is As Bad As It Gets

The FBI released a FLASH Alert about destructive malware on December 1st:


The destructive malware in question is a wiper similar to Shamoon. It uses the same benign driver for raw disk access.

On November 24th, this wallpaper was dropped on the computers of SPE employees:

Hacked By #GOP

Who is responsible for the attack?

North Korea has been suggested. That seems implausible to us.

The attackers apparently made demands:

  •  "We've already warned you, and this is just a beginning."

  •  "We continue till our request be met."

The demands have not yet been made public; when they were not met… the attackers dumped large amounts of SPE's data.

Theory: either the attackers are copyright reformist hackers targeting Hollywood — or — the attack was an attempted shakedown and extortion scheme. Hackers interested in copyright reform very often use better grammar than that found in the wallpaper above.

Which causes us to worry it's about extortion. And that's a big concern because it would mean the point of SPE's public "execution" was to warn to other companies that may already be hacked that the extortioners aren't bluffing.

Either way, Sony Pictures Entertainment may only be the first.

Edited: adjusted a sentence above to link to Shamoon.


Tuesday, December 2, 2014

The United Kingdom's ISC on Privacy Posted by Sean @ 15:16 GMT

From the Intelligence and Security Committee of Parliament's Report on the intelligence relating to the murder of Fusilier Lee Rigby:

"We further note that several of the [US Communications Service Provider] companies attributed the lack of monitoring to the need to protect their users' privacy. However, where there is a possibility that a terrorist atrocity is being planned, that argument should not be allowed to prevail."

where there is a possibility that a terrorist atrocity is being planned, [privacy] should not be allowed to prevail

So… the possibility of terrorist communications negates the importance of privacy??

I'll have to disagree.

From MI5's threat overview on terrorism:

"Terrorist groups seek to cause widespread disruption, fear and intimidation. They use violence or the threat of violence as a means of publicising their causes, motivating those who might be sympathetic to them and intimidating those who do not sympathise. They often aim to influence government policies and they often reject existing democratic processes, or even democracy itself, as a means of achieving their objectives."

They often aim to influence government policies…

From where I stand, the ISC has apparently been influenced to disregard privacy as a fundamental value.

The Intelligence and Security Committee of Parliament

What a pity.

Post by — @5ean5ullivan