We've just fixed a false positive that detected content from many clean websites as Exploit:JS/HuanJuanEK.A.
The database that contained the false positive prone detection was F-Secure Hydra 2014-12-31_02. A fix is included in F-Secure Hydra 2015-01-01_01, which is already published. This false positive only affected our Web Traffic Scanning feature which scans content downloaded from websites. If you are still seeing the detection, you can check if you've received the latest update:
Our apologies for any trouble. And, despite of this, Happy New Year to everyone!
Normally when we post a video, it's of somebody that you know quite well (Mikko). But today… we'd like to post a video of somebody that you might not know and who speaks highly of us (here in the Labs). The feeling is mutual.
This ransomware encrypts files with the following extensions:
Here is the message that will be shown to the user after encryption:
Multiple text files with the format ENCRYPTED[..].txt will be created, which contains the generated Hardware ID for the victim's machine.
Entering the HWID will display the ransom message that asks for 1 BTC.
If, however, the infection happens on a virtual environment, OphionLocker has a slightly different trick. Though it still gives you a HWID, the message shown does not ask for a ransom payment.
It gives the decryptor for free! Now, we know that sounds too good to be true, yet we still have to try it out. Just in case they're nice to security researchers.
Testing the decryptor will show the following message:
Upon clicking "OK", it will immediately pop another message:
But unfortunately, no files were decrypted. SHA1: eb78b7079fabecbec01a23c006227246e78126ab (ransomware) - Trojan:W32/Ransomware.D
Exploit kits continue to be a critical tool for the propagation of crimeware. New exploit kits have appeared this year, and this post will discuss two of them — Archie and Astrum.
Archie EK was first described in August as a basic exploit kit, as it uses exploit modules copied from the Metasploit Framework.
We detect the exploits used by Archie EK, and so upon review of our telemetry, we can see the kit made its first appearance during the first week of July. It has remained active since then.
From July, we've seen hits of CVE-2014-0515 (Flash) exploit with Archie EK traffic, and then in the following month, we noticed detections of CVE-2014-0497 (Flash), CVE-2013-0074 (Silverlight), and CVE-2013-2551 (Internet Explorer) exploits. By November, Kafeine spotted new Flash vulnerability CVE-2014-0569 and IE vulnerability CVE-2014-6332 integrated in this exploit kit, which has also been evident from our upstream.
Just like other exploit kits, this kit has evolved over the months, not only in the vulnerability support but also its landing page. The early samples of Archie we encountered used straightforward filenames and variable names such as "pluginDet.js" and "payload".
Below is a code snippet of the earlier landing page:
However, during November, we started to see new samples with slight modifications attempting to add some obfuscation. It is now using random looking strings instead of simple descriptive variable names. Below is a code snippet of a recent landing page sample.
It also includes checks for Antivirus and VMware files that was not in the early versions:
We detect these landing pages as Exploit:JS/ArchieEK.A and Exploit:JS/ArchieEK.B.
The URL patterns of Archie were also simple and used descriptive filenames in its traffic such as below:
Astrum EK is another new player in the exploit kit market this year. It was first reported by Kafeine in September, and was found to be one of the kits the Reveton gang has started to use.
Initially, it has support for the following vulnerabilities: CVE-2014-0515/CVE-2013-0634 (Flash), CVE-2013-0074/CVE-2013-3896 (Silverlight), CVE-2013-2551/CVE-2014-0322 (Internet Explorer), and CVE-2010-0188 (Adobe Reader). In October, Kafeine spotted that Astrum EK is exploiting CVE-2014-8439, a Flash vulnerability that we discovered together with Kafeine.
Being one of the new players in the exploit kit market this year, it has also been evident in our telemetry and continues its activity up to now.
Unlike Archie exploit kit, Astrum uses a lot of obfuscation in its landing page. Below are code snippets of two landing pages that are basically the same, but the second one having added garbage comments and spaces in between codes to add more obfuscation to avoid detection:
As has also been described by Kafeine, deobfuscated code shows checking of analyst tools and Kaspersky's plugin:
We detect the landing pages as Exploit:JS/AstrumEK.A and Exploit:JS/AstrumEK.B.
Astrum has an identifiable URL pattern such as below:
Below are reported IP addresses where Astrum EK is hosted:
Based on our telemetry, we have hits of Astrum EK from the countries below:
Archie and Astrum are only two of the new ones. There are also other new kits such as Rig, Null Hole, and Niteris (CottonCastle), and other exploit kits continue to rise and evolve such as Angler, Nuclear, Neutrino, FlashEK, Fiesta, SweetOrange, and others.
One notable characteristic with these exploit kits is that checking of Antivirus files, VMware files and other analyst tools are now becoming common. Other exploit kits, such as Nuclear and Angler, have also integrated these checks to avoid being analyzed by malware researchers. You can read more about that from Kafeine's blog.
There have been numerous reports about the mysterious Linux backdoor connected to Turla, an APT family. The malware has some pretty interesting features, the most interesting being its ability to sniff the network interface. More specifically, it can configure its C&C address from the network traffic. This allows the backdoor to sit silently in the network and activate with a specially crafted packet sent by the attackers.
When activated, the backdoor tries to connect to specified C&C. The C&C server can then instruct the backdoor with typical RAT features such as downloading, uploading, file listing, execution, etc.
Initial investigation showed that aside from the network sniffing, this malware behaves like a typical remote access trojan.
However, after checking further, we noticed something special about the environment set for file execution command: PATH=/bin:/usr/bin:/usr/local/bin:/usr/openwin/bin:/usr/ucb/bin:/usr/ccs/bin LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/usr/dt/lib
Environment set for a temporary file execution
This isn't at all typical for a Linux environment. As a matter of fact, it fits more for a Solaris environment: /usr/openwin - Solaris OpenWindows location /usr/ccs - C Compilation System of Solaris Studio /usr/ucb - Solaris BSD compatibility directory /usr/dt - Solaris CDE (Common Desktop Environment) installation location
This raises a question on whether this backdoor was originally targeting Solaris platform. There's nothing in the code and statically-linked libraries that would make this especially difficult to port, so we wouldn't be surprised to find out this malware is also on Solaris boxes in the following days.
Now available: white papers on Regin's stage 1 components.
Senior Researcher Paolo Palumbo has been busy since November 23rd converting his Regin notes into white papers.
These are meant be to a contribution for those who are inspecting their own systems and configurations. The papers provide analysis of the components that most people will run into first if Regin is present, and hopefully this will help identify future versions.
Hackerstrip is an online cartoon that features real Hackers like Xylitol, Charlie Miller and Chris Valasek. Their tagline is "Real Stories - Real Hackers".
Hackerstrip was started by Ravi Kiran. The team includes Larry Suto and SantaPlix.
Hackerstrip is now doing a crowdfunding at Indiegogo. Some of our readers might be interested in participating.
The crowdfunding has less than 24 hours to go, so hurry up!
I spoke at the TEDxBrussels event last week, and the video is now available. This was the third time I spoke at TEDxBrussels. You can find the previous talks from here and here.
In the talk I cover recent examples on how we are increasingly living an aquarium life as more and more of our everyday tasks can be monitored.
I've received some questions about the slide setup I was using. The slides were projected in a native resolution of 3456 x 1080 with PowerPoint set to a customer aspect ratio of 29:9 (instead of the usual 16:9 or 4:3). The projection was done from a Windows computer connected to two overlapping projectors.
If you haven't kept up with the news about Sony Pictures Entertainment's breach, you really should catch up. Now. It's fast becoming the worst hack any company has ever publicly suffered.
The FBI released a FLASH Alert about destructive malware on December 1st:
The destructive malware in question is a wiper similar to Shamoon. It uses the same benign driver for raw disk access.
On November 24th, this wallpaper was dropped on the computers of SPE employees:
Who is responsible for the attack?
North Korea has been suggested. That seems implausible to us.
The attackers apparently made demands:
• "We've already warned you, and this is just a beginning."
• "We continue till our request be met."
The demands have not yet been made public; when they were not met… the attackers dumped large amounts of SPE's data.
Theory: either the attackers are copyright reformist hackers targeting Hollywood — or — the attack was an attempted shakedown and extortion scheme. Hackers interested in copyright reform very often use better grammar than that found in the wallpaper above.
Which causes us to worry it's about extortion. And that's a big concern because it would mean the point of SPE's public "execution" was to warn to other companies that may already be hacked that the extortioners aren't bluffing.
Either way, Sony Pictures Entertainment may only be the first.
Edited: adjusted a sentence above to link to Shamoon.
"We further note that several of the [US Communications Service Provider] companies attributed the lack of monitoring to the need to protect their users' privacy. However, where there is a possibility that a terrorist atrocity is being planned, that argument should not be allowed to prevail."
So… the possibility of terrorist communications negates the importance of privacy??
"Terrorist groups seek to cause widespread disruption, fear and intimidation. They use violence or the threat of violence as a means of publicising their causes, motivating those who might be sympathetic to them and intimidating those who do not sympathise. They often aim to influence government policies and they often reject existing democratic processes, or even democracy itself, as a means of achieving their objectives."
They often aim to influence government policies…
From where I stand, the ISC has apparently been influenced to disregard privacy as a fundamental value.
![where there is a possibility that a terrorist atrocity is being planned, [privacy] should not be allowed to prevail](https://www.f-secure.com/weblog/archives/WW.png)
