Two Charts That Demonstrate One Of Android’s Big Security Problems

Applying the most recent security updates to your device’s operating system is a best practice security fundamental. If you’re not running the latest version of an OS, you’re opening your device to potential exploits.

This is a chart of Apple’s iOS 9 adaptation rate.

iOS 9 Adoption

Source: Mixpanel

Trading places – iOS 9 was released on September 16, 2015 and very quickly swapped places with iOS 8 and then accounted for the majority of all installations.

This is a chart of Google’s Android OS adoption rates.

Android OS Adoption

Source: Mixpanel

Nowhere to be seen – Android 6.0 “Marshmallow” was released on October 5, 2015 and still rates as “Other”. According to Google’s own figures, the latest version of Android only accounts for 1.2% of Android’s distribution. Approximately 70% of Android devices are still running either Kit-Kat or Lollipop (which have known security issues and vulnerabilities).

Lollipop has even gained market share since Marshmallow’s release.

And that’s a pity, because Android 6.0 Marshmallow has better defenses against trending Android malware.



Locky: Clearly Bad Behavior

Over the past week, a new crypto-ransomware threat, dubbed “Locky”, has been making pretty big headlines.

So far, Locky’s most common infection vector has been via e-mail. A word document attachment is sent out claiming to be an invoice. When opened, the document appears scrambled and prompts the recipient to enable macros in order to view, and if they do so, an executable (ladybi.exe) gets dropped and starts encrypting data files using 128-bit AES encryption.

_Locky_recover_instructions

This particular campaign appears to be very well organized, with multiple localizations of the ransomware being deployed worldwide and a large, robust infrastructure in place to support it. Many reports have suggested that the actors behind the spam campaign that is currently spreading Locky are likely the same people who spread the Dridex banking trojan.

Locky auto-generates domain names to call home to. Forcepoint have detailed the domain generation algorithm.

If you’re running our software, DeepGuard, our behavioral detection engine, has been preventing both the attack vectors used by Locky and the behavior of the malware itself. These detections have been around for quite some time already. Following our tried-and-tested prevention strategy, DeepGuard notices malicious behavior, such as Office documents downloading content, dropping files, or running code. DeepGuard stops the mechanisms that allow these sorts of threats to infect your machine right at the source.

The following three detections block malicious behavior associated with Locky and its variants:

  • Trojan-Dropper:W32/Agent.D!DeepGuard
  • Trojan:W32/Pietso.A!DeepGuard
  • Trojan:W32/TeslaCrypt.PE!DeepGuard

These three detections also protect our customers from Pony, Vawtrak, and the latest versions of TeslaCrypt.

Over the weekend, a new Locky infection vector surfaced. This infection vector involves a ZIP attachment containing a JavaScript file, that, if run, downloads the Locky executable and runs it. We detect that variant as Trojan-Downloader:JS/Dridex.W.



Malvertising Via Skype Delivers Angler

A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack.

An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users.

Skype Ad

Skype Call Ad

Skype Ads

This did not really bother us much until last night, when we saw an unusual spike from our charts due to a malvertising campaign via the AppNexus ad platform (adnxs.com).

Spike

URLs

One of the platforms for infection that we observed was Skype. It was interesting to note that having the ad displayed in a platform external to the browser did not mean that the browser was no longer accessible and thus the user could no longer be affected.

http://ams1.ib.adnxs.com/if?e=wqT_3QLNBPBCRA[...]uAQA&s=1d86c6[...]&referrer=skype.com
    led to http://dwuplaszczyznowosc.checkcashingbridgeport.com/boards/index.php
http://ams1.ib.adnxs.com/if?e=wqT_3QLVBPQAAU[...]uAQA&s=a9adea[...]&referrer=skype.com
    led to http://staraly1savage.bendovr.com/forums/viewtopic.php

This is not the first time infections were launched via Skype though, previous reports already mentioned the Skype scenario in forums and security news.

This particular campaign ended up redirecting to the Angler exploit kit.

Typical browser visits were there, of course, which means that this attack was not targeted towards Skype users.  For a user that used a browser, here’s an example of the infection chain that we have observed:

  • User visited ebay.it
  • Ebay.it pulled an ad from ad-emea.doubleclick.net
  • Doubleclick.net pulled an ad from fra1.ib.adnxs.com
  • Adnxs.com redirects to eleison.virtualrealitybros.com which is the Angler exploit kit landing page
  • Angler exploit kit downloads and installs a ransomware called TeslaCrypt

A machine infected with TeslaCrypt will display this message:

TeslaCrypt

Other popular websites that redirected to adnxs.com were gaming-related sites (wowhead.com, gsn.com, zam.com, wikia.com), news sites (dailymail.co.uk) as well as internet portals like msn.com.

This campaign seemed to have ended quite fast. The good thing is, during the active campaign, our users are protected against this threat as we detect Angler as Exploit:JS/AnglerEK.D.



The Malware Museum @ Internet Archive

Here’s what submitting a virus sample looked like back in the days of 5¼ floppy disks.

I sent you this diskette to give you infected or suspicious files for analyzing.

Thank you, Constantine.

And now you can see classic viruses in action at The Malware Museum.

Kudos to Jason Scott.

Here’s the Walker virus.

“ANY KEY TO PLAY”



Crash Safari Follow-Up

It’s been a week since short links to crashsafari.com went viral, and Google has finally killed the most prevalent link (goo.gl/78uQHK).

Unknown request for 78uQHK.

More than three-quarters of a million clicks were made before the short link was disabled for violating Google’s Terms of Service.

This shortlink has been disabled.

But… other short links are still active. Though clicks are definitely on the decline.

Analytics for Vj7Eep.

Why are any of them still active? What is it about these viral links that might delay them from being disabled? Let’s take a closer look at the referrers.

Referrers for Vj7Eep.

Approximately 80% of the clicks are from “unknown” sources, the majority of clicks stripped the referrer. In this case unknown source very likely represents private messaging apps such as iMessage and WhatsApp. Both apps encrypt conversations from end-to-end.

And that means there’s nobody-in-the-middle to filter out bad links.

There is no iMessage client-side filter, and so there’s no opportunity to put automation in place which would automatically report abusive links to the appropriate short link service. And apparently, manual processes take about a week for Apple. Fortunately, crashsafari.com was only being shared as a prank.

The takeaway? Services such as Facebook and Twitter have visibility and thus the potential to curtail threats – but private messaging apps have a weak spot. Choose your friends carefully.

Let’s just hope that next time the would-be prank isn’t a worm waiting in the wings.



AdBlocker White Paper: Benefits of Blocking Ads

Many websites on the modern Internet have advertising content (ads) on their webpages.  While some users find ads useful, many find it irrelevant, annoying or intrusive. Some ads even consume so much resources, they can cause undesirable drain on bandwidth and battery use, more notably on mobile devices. Worse, some ads can even lead to malicious content and other threats.

More about these and why blocking ads can enhance your browsing experience are discussed in this latest white paper on our AdBlocker [PDF] app for iOS.

How does adblocking work?

Oh and did I mention that our AdBlocker app is also free?



Crash Safari Goes Viral… But Why Not On Android?

On January 25th somebody created a Google short-link for a website called crashsafari.com. The site creates a loop which crashes iOS Safari and causes a partial device reboot.

It also causes various other browsers to hang or crash. Read more at Wired.

But here’s what I find curious…

Here’s an example of some Tweets using the Google short-link: /78uQHK.

Crash Safari Tweets

They look “cross-platform” to me. There’s nothing about them which should tempt an iPhone owner more than an Android owner. And the same is true of the sizable majority of Facebook posts that I found using the same goo.gl link.

So it seems somewhat odd that of the nearly 500 thousand clicks the link has received (so far), only about 12.5% of them are coming from Android devices.

Perhaps Android’s market share of “smart” phones isn’t all it’s made out to be? (A family member of mine uses hers like a feature phone.)

What’s your take?

@5ean5ullivan



Angler Exploit Kit’s January Vacation

Since last year, we’ve been monitoring various redirectors which lead to exploit kits (EK). One of the redirectors in question routes to either Angler EK or Neutrino EK. SANS ISC has also observed this particular redirector switching between these two kits.

At the beginning of this year, we noticed a sudden significant drop in our telemetry for this redirector.

Hits of the redirector that leads to either Angler EK or Neutrino EK.

Interestingly, our Angler telemetry also dropped on the same day. Whereas Neutrino remained active. During that time, we noticed that Neutrino was served directly from compromised websites instead of via a redirector.

Angler EK and Neutrino Hits 2015.12.24 - 2016.01.15

At first glance, it looked as if Angler took a vacation. Perhaps that is mostly true, but looking more closely at our telemetry, there was a very small group that remained active during their supposed time off.

Here are some of the instances that we see in our telemetry.

Angler URLs 2016.01.03

On January 11th, Angler activity started picking up again, while Neutrino activity slowly went down. There seems to be no apparent changes between the Angler EK seen before and after the break, which makes it look like they just took some vacation.

It is also interesting to note that Angler uses non-English words in generating their subdomains. The following are some Finnish words we’ve seen used by Angler in 2015 and 2016.

Angler Finnish 2015

“valtioneuvostossa” means “in the State Council”
“omakotirakentamisessa” means “when building single-family detached homes”

Angler Finnish 2016

“kansatieteelliseen” means “to an enthnological [something]”
“nauhoittamasta” means “from recording”



Analyzing Tinba: Configuration Data

Post & Analysis by: Mikko Suominen

Tinba made its entrance into the malware scene a couple of years ago and at the moment, it stands as one of the most popular banking trojans out there. Amongst its noticeable features are the inclusion of preloaded configuration and the implementation of advanced encryption methods to increase its efficiency during operation and to reduce its chance of being dissected.

In this blog post, we’ll focus on the configuration data, specifically on how to extract the configuration data from process memory. The reason why we (and some of you out there) are interested in the configuration data is because this information could help us understand how it operates and who the targets are.

Cracking the XOR encryption

Tinba is known for its form-grabbing and web injection capabilities, which it uses to steal banking credentials from users who unknowingly visited compromised sites. It makes its way into a system mostly via spam emails and exploit kits.

Once downloaded, the form-grabbing and web injection configurations are stored on the disk, protected by XOR with a 4-byte key followed by RC4 and finally ApLib compression. The XOR key is the name of the folder where Tinba files are located, converted from strings to an integer. If no configuration files were downloaded, Tinba will resort to using the prebuilt configuration data from within its binary. This data uses the same encryption as the files minus the XOR encryption.

The XOR encryption is implemented to tie the configuration files to a particular machine. By using a combination of machine and botnet specific data as the XOR key, someone with no access to the infected machine would face a huge challenge in decrypting the files.

Decrypting the configuration files

However, decrypting the files might be unnecessary as Tinba’s method of hiding its configuration data is remarkably poor by modern standards. Both the form-grabbing data and web injection data are fully decrypted and decompressed to be stored permanently in the web browser memory. This is quite careless since other banking trojans tend to jealously guard their configuration data and will only decrypt the data as needed and then immediately wipe the decrypted data from memory once it is no longer needed.

Oversight in memory allocation?

To make matters even easier, Tinba’s author has coded the memory allocation for the configuration data very lazily. Instead of allocating only the necessary amount of memory for the specific data, the author decided to allocate a hard-coded amount of memory large enough to guarantee that any configuration data would fit. Consequently, the large 0x1400000 byte memory block stands out like a sore thumb in the web browser memory space. The form-grabbing configuration data is held at the beginning of the area while the web injection data can be located at the offset 0xa00000 within the area. Both blobs of data begin with the size of the configuration data.

As an example, the following is one entry for the web injection data received by this sample – 9c81cc2206c3fe742522bee0009a7864529652dd.

Tinda web injection data

This sample indicates that the target is a banking institution in Poland.

Similarity to Zeus’ format

If Tinba’s configuration data looks eerily similar to you, it is because it follows the same format used by Zeus and many other malware families. The format has apparently turned into a bit of an industry standard for crimeware because it enables the same malicious web injections to be used on different botnets.

It would be interesting to find out how different malware authors ended up using the same format for their malware’s configuration data. We can assume that the web injection data is not developed by the botnet owner but bought from a third party. If that’s the case, agreeing on a certain configuration format would require cooperation between multiple web injection developers with multiple malware developers. Perhaps it just happens organically because a few years ago Zeus had such a large market share that it make sense for other authors to use the same format to make web-injection procurement easier for customers.


Mikko Suominen is a Senior Analyst on our Remediation team.

Further reading: The Evolution Of Webinjects (VB2014 paper) by Jean-Ian Boutin.



Use iOS Restrictions For Additional Security

Apple iOS has excellent “parental control” options. But really, OS restrictions shouldn’t be limited to parental units. If you run as a limited user on your computer, then you should do the same on your mobile device. So here’s an iOS tip from our Cyber Security Services that Tomi Tuominen shared with me recently.

Use restrictions. Go to: Settings > General > Restrictions. Enable restrictions and set a passcode.

And to start: set Accounts to “Don’t Allow Changes”.

iOS 9.2 Restrictions

I also prefer to restrict “Background App Refresh” changes to ensure that newly installed apps cannot run in the background until I explicitly allow them to do so.

Happy configuring to you!



January 13th – Advanced Persistent Threat Meetup

Winter has finally arrived in Helsinki… Come and experience it for yourself. How? Join our APT Meetup on January 13th! Speakers will include Frode Hommedal and Artturi Lehtiö. And here’s your opportunity: F-Secure will cover the costs for 2 to 3 people, from anywhere in the world. But time is limited, the event is Wednesday […]

2016-01-05

H0H 0H0

Today I was testing iOS 9 “Split View” multitasking with Freedome and KEY… …and discovered that we have a new Freedome exit node? A happy Festivus to us all!

2015-12-21

Senator Wyden’s Questions About Crypto-Ransomware

On December 15th, US Senator Ron Wyden sent a letter to FBI Director James Comey regarding crypto-ransomware. The reported costs are quite surprising. $10,000? My guess is that this is due to multiple computers being hit rather than one overall fee. Here are Wyden’s questions. Hopefully the FBI will provide a detailed reply sooner than […]

2015-12-17

SEE: Sandboxed Execution Environment

Available from F-Secure GitHub: SEE Introduction: Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments. Plugins can be added to a Test Environment […]

2015-12-17

The Online Arms Race

The Online Arms Race Mikko at Web Summit 2015.

2015-12-15

Did iOS 9 Really Improve Passcode Security?

I’ve been doing some password research and was recently reminded of this iOS 9 feature. Apple: “The default for passcodes on your Touch ID–enabled iPhone and iPad is now six digits instead of four. If you use Touch ID, it’s a change you’ll hardly notice. But with one million possible combinations — instead of 10,000 […]

2015-12-08

The Case Of A Flash Redirector From A Brute Force Password Attack

We noticed an unusual spike in “Flash redirector” detection hits during October. The source was compromised websites. The compromised websites had an injected code which loaded a malicious flash object that attempted to redirect users to the Angler exploit kit. This flash redirector is not a new thing. It was written about by MalwareBytes a […]

2015-11-25

Wonknu: A Spy For The 3rd ASEAN-US Summit

In the era of APT’s, it feels like something is amiss when there is a forum of governments and no malware arises. But the 3rd ASEAN-United States Summit on 21 November 2015 did not disappoint. A few days before the Kuala Lumpur summit, a subdomain under asean.org for the ASEAN Secretariat Resource Centre (ARC) was compromised. Malicious code was appended […]

2015-11-24

Oops!… Dell Did It Again

Bad news: Dell has installed a rogue root CA on customer PCs. Dell ships laptops with rogue root CA. https://t.co/70LCd9JAoZ #reddit #DellRoot pic.twitter.com/25QhJTRzZs — Mikko Hypponen (@mikko) November 23, 2015 Why is it bad? Because it’s trivial to perform man-in-the-middle attacks against any computer with the cert installed. Dan Goodin has an excellent writeup here. […]

2015-11-24

Paper: C&C-As-A-Service

Artturi Lehtiö, a researcher on our Threat Intelligence team, recently presented a paper on abusing third-party web services as C&C channels at VB2015. Here’s the abstract: A secure, reliable and undetectable method of communicating with and controlling malware is essential for modern malware operations. But designing, implementing and maintaining your own communication infrastructure isn’t an […]

2015-11-17