On Botting, Cheating, And DDoSers

On November 10th 2016 Blizzard enacted a “ban wave” on thousands of World of Warcraft accounts for “botting”, a term widely used to describe using third party programs to automate gameplay. Technically it wasn’t a “ban wave” – the accounts in question received between 6 and 24 month suspensions based on how often they’d been caught botting in the past. This is the first action they’ve taken on cheating since the August 30th release of the latest expansion, Legion.

Bots in World of Warcraft are used for a variety of cheats, all of which impact legitimate players fairly heavily. What might surprise you is that botting, and cheating in general, is extremely common. Left unchecked, it can proliferate to the point of ruining an entire franchise.

Diablo 3, another game published by Blizzard entertainment, was, for all intents and purposes, destroyed by botting. During 2015 it became apparent that a large percentage of the player base were botting their characters. Even some high-profile “celebrity” streamers were known to bot “off camera”. One streamer, who’s account averaged over 22 hours gameplay per day since the launch of the game’s “Seasons” mode explained that his brother “Chris” was playing on his account when he wasn’t. He was eventually caught, and lost his account, only to immediately buy a new one and continue to bot. To this day, bots are still often referred to as “Brother Chris”.

In another example of just how widespread the problem was, here’s a video of one player who forgot to shut off his stream before starting his bot software and leaving it running, all night, for the world to see. At the time, he was one of very few people to actually lose their accounts.

A multi-bot setup

A WoW bot farm in action. (Source: https://wowbotfarm.wordpress.com)

Botting in Diablo 3 went unchecked for so long that many players came to the conclusion that there would never be any repercussions for doing it. This empowered more and more players to follow suit and start cheating. The snowball effect grew to the point where it was estimated that way more than half of all players were botting and using other cheat software. As cheating went from niche to mainstream, it became a de facto requirement for playing the game competitively. The problem was so bad that several high-profile Diablo 3 players got together and wrote an open letter to Blizzard. Although Blizzard acknowledged this letter shortly after it was posted, botting continued unabated for months later.

A well-known streamer, MannerCookie, posted this video on youtube showing what bots are capable of. If you’ve never seen a bot in action, I recommend watching the video – it’s quite astonishing how sophisticated they are. What’s sad is that MannerCookie actually received an account ban for making this public service announcement.

Blizzard eventually enacted a ban wave in Diablo 3, but long after I, and all of my friends, had given up on the game. I’m pretty sure Blizzard were stuck between a rock and a hard place on the bot issue. Ban all the bots and you lose more than half of your player base. Don’t ban them, and you slowly lose regular players, trust, and legitimacy. The fact is, the problem shouldn’t have persisted, unchecked, for as long as it did.

With Blizzard enacting ban waves on an infrequent, almost regular-as-clockwork basis, most botters simply buy new accounts and continue where they left off. Last night, just hours after the ban wave, I spotted several bots in World of Warcraft, happily doing what they’ve always being doing. I reported them, but I wouldn’t be surprised to see them over and over again.

Visiting the forums used by botters after a ban wave gives me insight into the psyche of these folks. What’s obvious is that many of them feel incredibly entitled. They claim it’s their right to bot. I saw one kid go ballistic about the fact that he didn’t have time to play all of his eleven, yes, count them, eleven different Warcraft accounts without the use of a bot. He went on to state, in no uncertain terms, that he was going to sue Blizzard for the action they had taken on his accounts (which, of course, I’m sure he didn’t).

Given that cheating is surprisingly widespread, and to many, perfectly acceptable, an entire culture of self-entitled habitual video game cheaters has sprung up. In these social circles, cheating at video games is just the first step on a path that leads to even more anti-social behavior. More often than not, these same self-entitled kids, once caught in the act of breaking terms of service, will lash back at Blizzard with DDoS attacks sourced from the same readily available services of the folks I talked about in my last post. Every time Blizzard swings the ban hammer, they know they’ll need to brace for DDoS attacks. And those attacks affect everyone using Blizzard’s services. This cesspool of low moral ethics hurts legitimate gamers, the games they’re playing, and games companies themselves. And companies like Blizzard need to spend significant resources on cheat detection and DDoS prevention just to keep on top of all of this.

Often parents ask us what their kids are getting up to in the Internet that they don’t know about. This might just be one of those things.

This article was originally published on Huffpost Tech UK.

A Joint Centre To Combat Hybrid Warfare Threats

Helsinki will host a new centre focused on curbing the growing threat of hybrid warfare according to recent reports. Disinformation and fake news is considered “hybrid warfare” in this context.

YLE Uutiset 2016-11-21

The proposed annual budget is reportedly estimated at two million euros.

I think… they’re gonna need a bigger boat.

You're gonna need a bigger boat

Fighting against hybrid warfare disinformation will be extremely challenging in today’s media landscape. Disinformation for profit, a.k.a. content farming, as well as good old fashioned misinformation, coupled with the average individual’s inability to make any real critical distinctions, provides a huge amount of cover for politically motivated disinformation.

And how bad is the average individual’s ability to tell real news from fake? Stanford researchers recently evaluated students’ ability and described the results as…”bleak”.

From NPR.

NPR 2016-11-23

It’s a surprise to me that researchers would be shocked but the results of their study – but then, I spent a many, many months studying cost-per-action social media spam on Facebook years ago. Fraudulent links using supposedly scandalous video bait of one sort or another spread rapidly, and millions upon millions of people clicked the links. Repeatedly. Why would scandalous “news” be any different?

Is education the answer?

Education Week 2016-11-01

I’m never against a good education. But it’s not going to fix the problem.

As long as media continues to hunt for “viral content” in its increasingly desperate search for advertising revenues – disinformation and misinformation will continue to exist and flourish. And as long as it does, there will be able ample enough cover to provide political actors plausible deniability.

The new Helsinki joint centre has its work cut out for it.

Yahoo! Voice Call 2FA Fail

Netflix recently fixed an account takeover vulnerability involving automated phone calls and caller ID spoofing. The issue? An attacker could use Netflix’s “forgot email/password” feature to reset an account’s password by directing the reset code to a voice call. In order to force the code to voice mail, the attacker would need to call the account holder’s phone at the same time, and then, the code could be retrieved from the account holder’s voicemail via caller ID spoofing (which something that many operators are vulnerable to even though it’s 2016).

Netflix: Forgot Email/Password

Netflix: Forgot Email/Password

Netflix has now adjusted its system to wait for input before providing the reset code. No input, no code. So nothing just rolls into voicemail anymore.

Waiting for input is how Microsoft’s Office sign in works with its “call me” verification.

Office 365 MFA Options

Microsoft Office Sign In

The automated call agent prompts the account holder to input the pound/hash/number sign (#), and then, once the recipient does so, the sign in is completed.

And then… there’s an organization which was recently in the news because hundreds of millions of account passwords were compromised. Yahoo!

Yahoo! MFA Options

“Call with the code”

Unfortunately, Yahoo’s multi-factor authentication “call with the code” feature is not interactive. It just calls with a one-time code. And so, Yahoo currently suffers from the same vulnerability as Netflix did. An attacker can force such codes to voicemail. And as there are so many compromised passwords in-the-wild… this is a problem.

Here’s a demonstration that Andy and I recorded.

Via Twitter.

Embedded audio.

What’s The Deal With “Next Gen”?

We’re frequently asked about “Next Gen” antivirus companies, which is not surprising. They’ve been making a lot of noise and bold claims during the last couple of years (so, basically, since they were founded). So let’s take a look at what they’re all about.

Coopetition in the AV industry

But before getting into what “Next Gen” are up to, let’s take a brief stroll down memory lane. During the past three decades, vendors in the Endpoint Protection industry have adopted a system of “coopetition”, where vendors compete fiercely on the sales front while their analysts, developers, and engineers share information and cooperate for the greater good of cyber security. This cooperative competition has included sharing knowledge (through conferences and events), sharing samples, sharing threat intelligence, and agreeing on certain standards.

A few examples of this. In June 2004, VirusTotal was founded as a service for the industry to cooperate on the sharing of samples and verdicts. This service now facilitates the sharing of approximately half a billion samples daily, includes over fifty products, and is a great source of threat intelligence for many in the industry.

Here’s another example. Independent testing organizations, whose mandate was to ensure that products were actually providing the protection they claimed, were formed. It makes sense to hand this task to a set of independent organizations – consumers and businesses just don’t have the time, resources, or expertise to work with live malware, find freshly exploited sites, and conduct tests against dozens of different products just to make a decision about which solution they’ll purchase. I find it astonishing that some “next gen” companies actually recommend that the public perform their own AV testing. Anyways, in 2008, the Anti-Malware Testing Standards Organization (AMTSO™) was founded to facilitate just this.

This cooperative spirit didn’t just happen overnight – it’s been a slow and gradual process. In the old days, there was plenty more competition and rivalry between cyber security companies.

How to alienate yourself from Virus Total

But things changed a few years ago. Instead of joining the community, many of the “Next Gen” players (to be clear here, we’re talking about “Next Gen Endpoint Security”, or “antivirus” vendors, not EDR or breach detection products) took an altogether different route. They launched marketing campaigns designed to discredit incumbent security vendors by insinuating that their products are based on “signature-only” technologies.

The “data” that “Next Gen” vendors often rely on to present this argument is flawed. It’s based on comparing their full technology stack to competitor results from VirusTotal (which only test static file scanning capabilities). Despite the fact that Virus Total changed their policies regarding the use of their data after noticing these campaigns, “Next Gen” are still up to it. And it’s certainly provocative.

Welcome to the Big AV conspiracy

What might have led them to do this? It seems that some “Next Gen” companies claim that they’re unable to compete in an industry that is controlled by what they refer to as “Big AV”. Akin to stories of the Illuminati, they insinuate that a shadowy cabal of established InfoSec companies control the industry and are working to undermine their credibility.


A picture from the last annual general meeting of Big AV. That’s me on the right. (Source: http://yournewswire.com/)

When in doubt, blame QA

Just recently, “Next Gen” have turned their inaccurate marketing assault towards the independent AV testing industry. Numerous claims have been made insinuating that the independent AV testing industry is untrustworthy, biased, and paid-for.

We agree that independent testing methodologies aren’t perfect, and perhaps they haven’t evolved as fast as the technologies and threat landscape around them have. Not every technology in our own products factors into the tests they run. But the industry certainly isn’t rigged in favor of certain types of products or vendors.

Our main motivation behind working with independent testing organizations is to acquire valuable quality assurance data for our products and technologies. Testing organizations build and maintain complex infrastructure designed to search for the absolute latest threats in the wild, in an attempt to trip up the best endpoint protection technologies. We source multiple private tests every month and use the data from those tests to constantly improve our technologies and services. These organizations don’t exist to tell us our products are good – if they were, we’d find little value in utilizing their services.

Many “Next Gen” companies refuse to participate in independent testing – public or private. In fact, some “Next Gen” vendors go to great lengths to avoid having their products independently evaluated – they specifically refrain from selling their products to testing labs, and may even revoke a license key – without a refund – if they find out or suspect that it was bought anonymously by a testing lab.

Why do the work when you can get others to do it for you?

As I’ve said in the past, “Traditional AV” versus “Next Gen” is a concept that was coined by “Next Gen” marketing departments. And here’s why. Instead of investing resources into the technologies and infrastructure required by all other independent security companies, many “Next Gen” vendors outsource a lot of that work to third parties (often the very companies they’re calling “Traditional AV”). This outsourcing can include licensing feeds of verdicts from third parties (which are generated by, you guessed it, “Traditional AV” products) or even running competitor products in their own back end infrastructure.

We see about 500,000 new samples every day, and to analyze and categorize those samples, we’ve invested heavily into infrastructure, storage, and automation. Building and improving that infrastructure took over a dozen years. Without this infrastructure and the constant improvements we put into back end systems, sample analysis automation, and sample storage and categorization, we’d simply not be able to stay ahead of the threat landscape. Technologies are one thing, but they’re only as good as the rules, logic, samples, and metadata they’re fed. Which, in turn, relies heavily on providing relevant inputs. And those inputs have to come from somewhere.

Venture capital buys a lot of marketing

The money saved from skimping on proper data collection and infrastructure is funneled directly into “Next Gen” marketing departments. Equipped with these huge venture capital-backed marketing budgets, they’ve bombarded the press with the idea of “Traditional AV” versus “Next Gen”, spread mistruths that incumbent AV products are “signature only”, created bad press around independent testing organizations, and are probably working on new propaganda we haven’t seen yet.

It’s important to note that the term “Next Gen” has already seen widespread adoption in the industry, which is a shame, since it’s obviously biased. “Next Gen” implies newer and better, a notion that’s far from the truth. A more accurate and fair term would be “Anti Virus startup”.

If you want to know how you’re being protected, you’re going to have a hard time figuring out how most “Next Gen” products work; their blog posts and white papers are mostly just a string of marketing buzzwords. In many cases, their products are difficult to get hold of – you can’t simply buy a license and go download the installer. They claim it’s because they don’t want their intellectual property stolen. We have a term for that – security through obscurity.

What’s so “Next Gen” about ten year old ideas?

The fact is, all endpoint protection solutions use similar approaches (and again, I’m comparing all endpoint protection products here, not breach detection solutions, which are a totally different beast). Some products emphasize certain technologies or strategies more heavily than others. And although the technologies that are being dubbed “Next Gen” have been around for at least a decade, and were originally conceived and developed by “Traditional AV” vendors, “Next Gen” players are applying these technologies in their own way, and are doing a great job at it. Maybe by their own logic, we’re all “Next Gen”?

The fact is, “Next Gen” or not, these products are designed to protect endpoint systems against malicious attacks. And that’s great. Competition is good. Innovation is good. Attacking an old problem from a new angle is always welcome. It’s a positive thing for the industry that there’s a bunch of new players in the field. And they’ve done a great job at getting the word out to the general public that threats exist and protection is needed, especially with the growth we’ve seen in the cyber-crime industry and with targeted attacks becoming ever more widespread.

I’m not sure why “Next Gen” took it upon themselves to start out by fighting the industry. Regardless of their reasons, it’s not too late to change. I’d personally prefer we sit down, have a beer or three, share ideas, share data, and talk about how we can work together to make things safer and more secure for everyone.

Agree? Disagree? Tell me your opinion on Twitter!

A RAT For The US Presidential Elections

A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message was a snippet from the article of USA Today, and has a ZIP archive called “The Murtadd Vote.zip”.


The attachment extracts to “The Murtadd Vote.jar”, which is an Adwind Remote Access Tool/trojan (RAT). Adwind RAT (or jRAT) is nothing novel. In fact, it has been available as a Malware-as-a-Service subscription for already 4 years now. The RAT is capable of keylogging, credential-stealing, and downloading and executing additional files on the infected host to name a few features.


What makes this threat slightly different from other RATs? It’s platform-independent, and so it runs basically on any device with Java Runtime Environment (JRE) installed. As seen below, the malware was able to successfully install a copy of itself as evgjyuBYuAY.WyhMVR in both Windows and Linux.


This particular sample phones home to invoicesheet[.]ddns[.]net:183, which resolved to yesterday, and today to

In Windows, it uses a VBS script to search for machine information, such as which firewall is being used. It writes onto the registries using a .REG file, and has the ability to disable UAC and kill several processes that are related to system monitoring, antivirus products, and debugging software.



  • 80b83ff63adce9ee3ef593ef92eb6fb8eebe431d
  • f9143d7ff3d7651155e7164093722d2eba25bd13 (DeepGuard Kavala.O)
  • dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
  • 8a50c72b4580c20d4a7bfc7af8f12671bf6715ae
  • invoicesheet.ddns.net

How To Vet URL Shorteners #2016CampaignEdition

John Podesta, the Chairman of Hillary Clinton’s 2016 presidential campaign, allowed his Gmail account to be compromised in March 2016. And as a consequence, his correspondence has been in the news throughout the month of October.

Recently, the March 2016 phishing message itself was published.

John Podesta Phishing Message

Do you notice anything odd about the message?

The very first thing that jumps out at me is this: WTF is a Bitly link doing there in what’s supposed to be a message from Google? Apparently, Podesta’s IT guy failed to flag this message as suspicious when he asked about it. A “support message” with a short link should always, always equal a big red flag.

Because first of all, to the best of my knowledge, Google support doesn’t use a URL shortener. And second, even if it did, it would undoubtedly use Google’s own URL shortener service at goo.gl (and not bit.ly).

But the real tragedy of the situation is this… it’s very easy to check bit.ly and goo.gl short links. All one needs to do is to add a “+” to the end of the URL. Adding a plus character to the link in the Podesta phishing message (bit.ly/1PibSU0+) yields this information from bitly.com.

John Podesta Phishing, Bitly URL Info


A Google account page located on the .tk TLD? No. At this point, anybody should be able to determine it’s a trap.

Also, 2 clicks?

Both of them from the USA. Once by the IT guy and once by Podesta? Not a whole lot of vetting going on here, evidently.

Amusingly, part of the phishing site can still be viewed via Google Cache.

John Podesta Phishing, Google Cache

It’s a copy of John Podesta’s Wikipedia Page.

CSS Disclosure: tar Extract Pathname Bypass

T2’16 Infosec Conference kicked off this morning in Helsinki. And to celebrate this, F-Secure CSS security consultant Harry Sintonen has a vulnerability disclosure to publish.

See below for more info.

Tar will happily extract files & directories into an arbitrary location when supplied with a suitably crafted archive file. If a target system is extracting an attacker supplied file, the vulnerability can be exploited to gain file overwrite capability. | We have exploited this vulnerability in environments where tar was run as root to gain root access on the target. In most scenarios this is a non-issue, however as we have witnessed, corner cases can be quite useful. | After the communication with different parties was discontinued for more than 42 days, the decision was made to proceed with our honorable disclosure policy.

tar Extract Pathname Bypass

Full Disclosure: POINTYFEATHER / tar Extract Pathname Bypass (CVE-2016-6321)

Hacking An Election Is Hard. Why Not Pwn The Messenger Instead?

Election day USA, November 8th, is nigh.

US elections (during a presidential election year) are a massive affair comprising federal, state, and local candidates for all sorts of elected positions: president, governors, senators, representatives, judges, state and county commissioners, et cetera. They are organized and run at the county level. There are 3,144 counties and county equivalents in the USA. And each of those county board of elections will be reporting results on the evening of November 8th.

So, just how is it possible to organize all of that information for national consumption in just one evening?

The practical answer is… the Associated Press (AP) does a lot of it.

Calling races, from the national level to state legislatures, is a vital function the AP provides to its members and customers.

From top to bottom, no other news organization has people on the ground covering elections like the AP does. This puts AP in a somewhat delicate position as the timing of calling races can get political…

In June 2016, the Associated Press called the Democratic nomination for Hillary Clinton, a day before six states voted, angering many supporters of Senator Bernie Sanders. But still, broadcasters such as NBC and ABC soon followed the AP’s lead. And expectations were set. That’s the oversized role the Associated Press plays in the US election process.

And how does the process work?

Here it is, as described by the AP’s products & services, How AP Calls Winners, page.

AP Calling Races, Steps 1 to 5

Step 3 – Vote entry clerk keys in results.

Stringers and entry clerks? Sounds interesting. Let’s find out more.

This is from AP’s FAQ on counting the vote:

Q: How are the votes counted?

A: Shortly before the polls close, over 4,000 stringers report to county election centers. When the first polls close, they’ll be ready to start phoning in the raw vote as it is reported by the counties. They’ll place their calls to AP election centers around the country.

At the centers, a total of over 800 vote entry clerks will answer those calls, and walk each stringer through a dialogue as they enter the number of precincts reporting and the candidates’ votes into our election night system. Since many states and counties display their election night results on websites, teams at the election centers also monitor those sites and enter results into the same system. This system tabulates the results and disseminates them in a number of formats to our member news organizations and customers.

(Emphasis mine.)

Here’s a picture of AP’s 2012 Eastern Election Center.

AP's Eastern Election Center 2012

Source: AP

So, 800 vote entry clerks input the results into an “election night system”. And given the world that we live in, that system is probably connected to the Internet, right? If so, perhaps we can locate it on the deep web.

Using F-Secure Riddler, I first searched for “pld:ap.org” and yielded 171 results. Next, I narrowed my search to “pld:ap.org keyword:microsoft-iis/6.0” and got back 16 results including one for a server called: apvotecount2.ap.org. Hmm.

Riddler pld:ap.org keyword:microsoft-iis/6.0 – apvotecount2.org

Having a “2” in its name suggests it’s a legacy server, as does the 2006 copyright.

Screenshot of apvotecount2.ap.org

© 2006

I continued searching and located: apvotecount.ap.org, running IIS 7.0.

Riddler pld:ap.org keyword:microsoft-iis/7.0 – apvotecount.ap.org

It displays a 2010 copyright…

Screenshot of apvotecount.ap.org

© 2010

Disclaimer – I have no idea if “AP Vote Count” is the “election night system” referred to above. It seems quite possible that it is (but I hope I’m wrong).


  • Leaving a legacy server online is probably (actually, definitely) a bad idea.
  • A publicly visible plain text, non-encrypted login page, no HTTPS. Really not a great idea.
  • AP Vote Count appears to be hosted in New York, not behind DDoS mitigation services. That sort of seems problematic.

Pwning the messenger

Let’s stipulate that hacking a U.S. election is very unlikely because the system is so diffuse.

So, what’s a threat actor to do?

Well, what’s not diffuse? The reporting of the results! Those are far more centralized – a perfect target.

And therefore, AP’s system could be a critical point of failure on election night. A threat actor couldn’t actually change the vote, but the results could definitely be undermined. A DDoS attack on the AP’s election night system could result in a delayed tally. And in the current political environment, delayed results will spread suspicions of voter fraud. If the system is vulnerable to hacking, illegitimate input might be possible, confusing the reporting, with the same potential results.

Alternatively, if the system is vulnerable, perhaps an attacker would prefer insider access for the sake of market arbitrage. Or to create market chaos. It wouldn’t be the first time that a hacker caused markets to move.

Market reaction to AP Tweet

April, 2013


I wish these concerns were far fetched. But given the targeted hacks and DDoS attacks seen during 2016, I don’t think they are.

Fun With Internet Metadata (AKA The Deep Web)

Our Cyber Security Services (CSS) division spend a fair amount of time working with companies on threat assessments. They’ve been doing this stuff for several years, and during that time, they developed some useful tools to make their jobs easier.

One of those tools is Riddler. It’s a web crawler that makes Internet metadata available via a search interface, and it’s useful for looking at relationships between domains, hosts, and IP addresses. It also lists metadata associated with sites that can give you clues as to any potential security issues. I got a hold of Riddler about half a year ago, and have had quite a bit of fun playing around with it since then.

Riddler has been available to the public for a while now, but as a company we’ve not really made much noise about it. You can access a web interface to it at riddler.io. The free version only returns ten results from a query, so it has limited use, but the subscription version is a lot more interesting. With that, you get access to a command-line interface and an API which makes it pretty easy to build your own mapping and monitoring tools.

I got quite addicted to digging through internet queries using the Riddler command-line interface.

I got quite addicted to digging through internet queries using the Riddler command-line interface.

I just finished writing a white paper about Riddler, which is available here. The paper tells the story behind Riddler – why and how we built it, a short guide on how to use it, and some ideas about what it can be used to do. If you’re interested in doing threat assessments, or like myself, just enjoy digging through Internet metadata, give it a look!

What’s The Deal With Non-Signature-Based Anti-Malware Solutions?

Gartner recently published an insightful report entitled “The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization”. In this report, it discusses the ways in which non-signature technologies can be used to augment an organization’s endpoint protection strategy.

Let’s take a look at how Gartner has defined non-signature malware detection solutions. Here’s a clip directly from the report.

Gartner's list of nonsignature technologies

Gartner’s list of non-signature technologies, taken from “The Real Value of a Non-Signature-Based Anti- Malware Solution to Your Organization” report, 22nd September 2016, by Eric Ouellet and Peter Firstbrook

So, how do our endpoint protection technologies stand up against these competitor solutions?

Hardening — typically application control

This is a feature we include in our business products that’s coincidentally called “Application Control”. It’s something I haven’t specifically blogged about (yet). This feature works great in corporate environments, where the IT department can create a defined list of software or authenticode certificates that are allowed in the organization. This white list is then applied to each endpoint, and only software defined on this list is allowed to execute.

Application control is especially useful in hardened environments such as embedded devices (think ATM machines or bank teller terminals) where the list of allowed software is small and very well-defined. In other corporate environments, it can be overly restrictive to the end-user. This is why it’s a business feature. We leave it to the local IT department to define how they want to use the feature, based on how restrictive their policies are.

I’m actually not sure how long we’ve had application control in our products. As far as I remember, the feature was already there when I started at F-Secure over 11 years ago. (I tried to install World of Warcraft on my work laptop, for after hours fun, and was promptly disallowed.)

Hardening can also include patch management. We have a component we call “Software Updater”, the function of which is to enumerate all software on the system, check for latest patch versions, and automatically update the software, in the background, without the user needing to do anything themselves. Since unpatched vulnerabilities are one of the most common ways an attacker can infect a system, patch management is extremely useful, since it frees up the admin for other important tasks.

Memory protection (exploit prevention)

Our own exploit prevention methods are the same as those used in non-signature products. We hook application and system processes in order to analyze memory and execution traces, spot suspicious behavior, and shut down offending processes. This allows us to prevent exploits against browsers, browser plugins, and common applications (such as PDF readers and Microsoft Office). It’s also useful for catching scripted attacks. This is the same technology used in our activity/behavior monitoring, which is covered below.


Isolation technologies protect the system by sandboxing processes and allowing them limited access to the operating system. Bromium is the first product that comes to my mind when I think of isolation technologies. This is something we don’t do, because it’s a radically different approach to securing the endpoint, akin to taking Windows and making it work like iOS. Isolation is a really cool way of protecting a system (if you can solve the non-trivial usability issues that it presents). Done right, isolation technologies can negate the need for most other types of protection.

The closest thing we’re doing to this is on-client sandbox analysis. When we hit certain suspicious looking samples, we launch a sandbox, run the executable in question, examine its execution trace, and make a determination as to whether the sample is malicious. This analysis approach can task system performance, so it’s not something we’ll do on every file we encounter. Malware writers tend to add new anti-emulation tricks that defeat sandboxing, and this forces us to update the components and rules once in a while.

Activity/behavior monitoring

I’ve covered our behavioral analysis protection technologies in a few of my explainer posts. In fact, there’s one entirely dedicated to that topic here. I won’t bother reiterating what’s in that post except to say that we’ve been doing endpoint behavioral analysis for a decade already, and it comes as standard on every Windows product we ship. Familiar with Locky? The behavioral rules that caught that particular ransomware family were in our product for over half-a-year before it was in the wild.

Algorithmic file classification

I recently wrote about how we use machine learning techniques in a variety of our protection and detection technologies here. As that explainer states, we’ve been using machine learning techniques to train endpoint components to identify suspiciousness on both the structural and behavioral level. And, again, we’ve been shipping these technologies in our Windows products for ten years.

We ticked four out of the five boxes. What does that make F-Secure?

Gartner is an authoritative and influential player in the cybersecurity industry. Many enterprises go to them for advice when it comes to choosing a new product or solution. We understand that terminology is needed to distinguish between pure-play technology providers and established endpoint protection players. In its report Gartner uses the terms “non-signature” and “signature-based” to differentiate between the two. The problem as I see it is that “next-gen” marketing departments have perverted the term “signature-based” into “signature-only”.

All technically minded people know that there aren’t any signature-only endpoint protection products on the market. But “signature-based” also seems to imply that this category of products are overly reliant on signatures to protect against threats. This is most definitely not the case. For instance, we actually have internal test configurations with signature-based technologies disabled and our products still do a great job at blocking emerging threats.

Most of the mentioned pure-play vendors use a single technology from that list of “non-signature” technologies as the basis for their entire protection stack  (something which some industry analysts refer to as “feature-as-a-product”). Our product utilizes four of those technologies at the same time.  Given that a list of “non-signature” vendors was supplied in the report, but a corresponding list of “signature-based” vendors wasn’t, we’re wondering exactly how our products would be classified, because we clearly don’t fall into either category.

Or at least, we don’t think so and reject the label… signature-based.

Definitely Not Cerber

At the beginning of last week we noticed a spam campaign delivering a double zipped JScript file. The campaign started on September 8th. The email had the subject line of “RE: [name of recipient]” with an empty body, and an attached zip file named “[recipient name][a-z]{4}.zip”. The characteristics of the mail, naming of the attached item, […]


Seriously, Put Away The Foil

I was scanning the headlines this morning, as I do, and came across this article by YLE Uutiset (News). — “Finnish police: Keep your car keys in the fridge” From YLE’s article: “These so-called smart keys work by emitting a signal when the driver touches the door handle. The lock opens when it recognises the […]


0ld 5ch00l MBR Malware

I recently installed Audacity, an open source audio editor… And while verifying the current version to download, I came across an interesting security notification. Before I read the details, I fully expected to discover yet another case of some crypto-ransomware group hijacking and trojanizing an application installer. But not so! Audacity’s download partner was infiltrated […]


What’s The Deal With Machine Learning?

We’ve recently received quite a few questions regarding the use of machine learning techniques in cyber security. I figured it was time for a blog post. Interestingly, while I was writing this post, we got asked even more questions, so the timing couldn’t be better. It seems that there are quite a few companies out […]


Coming Soon: iOS 10

I’ve been testing iOS 10 Beta for several weeks (on a secondary iPad mini 2 of mine) and so far, so good. I’m enjoying Swift Playgrounds and looking forward to the final release. Most of the changes I’ve noticed have been surface (i.e., UI) changes. But today I read an interesting blog post by @nabla_c0d3, […]


Got Ransomware? Negotiate

ICYMI: we recently published a customer service study of various crypto-ransomware families. Communication being a crucial element of ransomware schemes, we decided to put it to a comparative test. The biggest takeaway? If you find yourself compromised – negotiate. You have little to lose, the majority of extortionists appear to be willing work with their […]


NanHaiShu: RATing the South China Sea

Since last year, we have been following a threat that we refer to as NanHaiShu, which is a Remote Access Trojan. The threat actors behind this malware target government and private-sector organizations that were directly or indirectly involved in the international territorial dispute centering on the South China Sea. Hence, the name nán hǎi shǔ […]


Bye Bye Flash! Part 2.5. Microsoft Edge Is Going “Click To Flash”

After last Thursday’s article on how Firefox will start reducing support for Flash, I received some comments pointing me to an announcement from Microsoft, back in April, where they stated that their Edge browser would also move towards a “Click to Flash” approach. The announcement notes that Flash plugins not central to the web page will […]


Bye Bye Flash! Part 2 – Firefox Plans To “Reduce” Support For Flash

Earlier this year, in our 2015 Threat Report, our own Sean Sullivan predicted that Chrome, Firefox, and Microsoft would announce an iterative shift away from supporting Flash in the browser by 2017. Last month, we covered the announcement made by Google. As predicted, just yesterday, the Firefox developers made a similar announcement on their blog. […]


Malware History: Code Red

Fifteen years (5479 days) ago… Code Red hit its peak. An infamous computer worm, Code Red exploited a vulnerability in Microsoft Internet Information Server (IIS) to propagate. Infected servers displayed the following message. See @mikko‘s Tweet below for a visualization. @FSLabs @FSecure @5ean5ullivan pic.twitter.com/7c0yTc66ix — Mikko Hypponen (@mikko) July 18, 2016