Freedome Tracking Protection Comparison

Labs Fellow Edilberto Cajucom recently tested¹ our Freedome VPN‘s Tracking Protection feature to measure its effect on the page load speed and size of numerous popular sites.

Here’s a graph of speed comparisons using a subset of sites from Alexa’s news category.

Page Load Speed Comparison

Page Load Speed Comparison

As you can see, there’s quite a measurable effect on several sites; Huffington Post and USA Today loaded in half the time (2.1x faster). Conclusion: blocking trackers saves time.

And here’s a graph of size comparisons.

Page Load Size Comparison

Page Load Size Comparison

With Tracking Protection enabled, CNNMoney only loaded 1.4MB compared to 3MB. AccuWeather loaded 10.4MB compared to 17.3MB. Conclusion: blocking trackers saves bandwidth.

Happy surfing Freedome lovers!


¹ The testing was done from our Helsinki-based lab via Freedome’s Netherlands-based exit node.

Apple iOS 9 Security Features

Apple’s September Event 2015 takes place today so 9/9 = iOS 9 announcements.

Apple is promising improved security with iOS 9. Implementing six-digit passcodes for Touch ID is one well publicized example.

iOS 9 improved security

Source: Apple

Security researcher Frederic Jacobs has an excellent summary of other documented changes on Medium.

A small change that I’ve noticed while testing iOS 9’s public beta is related to Windows¹.

This is the prompt you’ll see when connecting an iOS 9 device to a computer with iTunes installed (which includes anything running OS X).

And this is the prompt you’ll see when connecting an iOS 9 device to a (Windows) computer with no iTunes drivers installed.

iOS 9, Allow this device to access photos and videos?

Allow this device to access photos and videos?

It’s a subtle but interesting difference. Allow implies limited access, whereas trust implies something greater. There have been cross-platform malware attempts aimed at iOS in the past. With this allow prompt, a careful observer could determine when such cross-platform malware is present. If you connect your iOS 9 device to a Windows computer that you know doesn’t have iTunes installed and are asked to trust… don’t.

Another small but very welcome change that I wrote about in July is a new Safari feature.

Scam sites attempting to lock Safari into an endless loop of JavaScript alert dialogs will find their efforts foiled by Safari’s new option to “Block Alerts”.

iOS 9 Safari, Block alerts from?

Block alerts from?

All in all iOS 9 looks good. I hope to see some more security info during Apple’s event today, and I’m looking forward to iOS 9’s public release scheduled for September 16th.


¹ Testing with Kali Linux yielded a “trust” prompt.

Sofacy Recycles Carberp and Metasploit Code

1. Introduction

The Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590.

If the exploit is successful, it installs a Sofacy downloader component, which is different from what we have seen before. This downloader was based on the notorious Carberp source code, which leaked out into the public domain in the summer of 2013.

1.1 Bootstrapped Firefox Add-on

Aside from zero-day exploits, we have also encountered the Carberp-based downloader deployed via other means, such as a bootstrapped Firefox add-on, during spring this year. But what is a bootstrapped add-on? According to Mozilla, it is a type of add-on that you can install and use without needing to restart the browser.

The installation of this Sofacy add-on mostly relies on social engineering. When the user visits the malicious or compromised website, they are prompted to install the add-on.

HTML5 Rendering Enhancements 1.0.

Figure 1: Sofacy HTML5 Rendering Enhancements add-on

The main code is stored in the bootstrap.js file within the add-on package. Once the add-on is activated, the JavaScript will download the Sofacy Carberp-based downloader from the following URL:


The payload will be saved locally as vmware_manager.exe.

This bootstrapped add-on technique isn’t entirely new, it has been documented since 2007, and has been used mostly by potentially unwanted applications. However, this is the first time that we have seen Sofacy use this method. Most of the code in Sofacy’s bootstrap.js file was copied directly from Metasploit, including the GUID {d0df471a-9896-4e6d-83e2-13a04ed6df33}, as well as the add-on name “HTML5 Rendering Enhancements“. Whereas, the downloading of the payload section was copied from one of Mozilla’s code snippets.

2. Technical information about the dropper and DLL

The exploit document or add-on carries a simple PE executable, which installs an embedded DLL to the system. The executable file is around 100KB in size, not packed with any file compressor, but the DLL is compressed using the standard Windows APIs and decompressed with RtlDecompressBuffer before dropped on the disk. One notable common feature appearing in all the samples we’ve seen is a temporary file named jhuhugit.temp. This filename is about the only clear text string in the EXE, most of the other strings are obfuscated with a XOR algorithm using a fixed 11-byte key. Another interesting string appearing in some of the samples is encryption key “bRS8yYQ0APq9xfzC“. This happens to be one of the fixed “main passwords” found from the Carberp source GitHub tree.

The DLL is executed with a system executable rundll32.exe, by running an export named as “init”. The DLL itself doesn’t have much functionality. It simply just sits in a loop, querying one of its fixed C2 servers every 30 minutes. We haven’t yet been able to retrieve any live payloads from the servers, but based on the code, the DLL would just execute the payloads exactly the way itself was executed in the first place. The C2 server addresses and other configuration data are obfuscated using the same 11-byte XOR key algorithm. Nothing really fancy here so far, but the same Carberp password, also used by all the DLL’s we’ve seen, got us curious enough to discover what’s the connection.

By carefully reverse engineering the DLL, it became apparent that this family is based on the Carberp source code. The code repository is not exactly the same as what can be found from GitHub, but close enough to make such claims, as we’ll see later. Features used by this Sofacy based on the Carberp sources include API resolving algorithm and code injection mechanism. Also the algorithm used for generating random URL’s is loosely based on the Carberp.

3. Comparison to Carberp source code

3.1. API resolving algorithm

In the public Carberp source code, APIs are resolved at run time using code constructs like this:

#define pLoadLibraryA   pushargEx< DLL_KERNEL32, 0xC8AC8026, 2 >

In this example, the function pLoadLibraryA is defined by another function, pushargEx, which gets the following arguments:

  • Module identifier is DLL_KERNEL32 in this example
  • Function name hash is C8AC8026, which is calculated at run time
  • Function cache index is 2

The function pushargEx has multiple definitions, including all possible amount of function arguments. Here is an example of a definition for 5 arguments:

inline LPVOID pushargEx(A a1, B a2, C a3, D a4, E a5)
    typedef LPVOID (WINAPI *newfunc)(A, B, C, D, E);
    newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
    return func(a1, a2, a3, a4, a5);

PushargEx ends up to function GetProcAddressEx2, which locates the API function address based on the name hash and then the address is executed. The purpose of this construct is to be able to use standard Win32 API functions normally in the code, by just putting a character ‘p’ to the beginning. The resulting compiled code is not very easy to read, thus slowing down the reverse engineering process. It also has additional benefit of making the code truly position independent, which is good for code injections.

Carberp’s source tree includes a list of API hashes, and the corresponding cache indexes in a nice list like this.

Carberp API list.

Figure 2: Carberp API list

Now back to the Sofacy binary code. It is apparent from the decompiled example snippet that it uses the same hashing algorithm and index numbering.

Sofacy GetModuleHandleA

Figure 3: Sofacy GetModuleHandleA

GetModuleHandleA is just one of the many functions resolved dynamically by Sofacy. But they all fit exactly to the Carberp source code – the hashes and arguments match, as well as the indexing (see index number #43 from Figure 2).

Looking further to the API resolver, we can observe striking similarities in functions named as GetProcAddressEx and GetProcAddressEx2. Here’s a screenshot of GetProcAddressEx2 from Carberp sources and a decompiled code from Sofacy binary, side by side.

GetProcAddressEx2 from Carberp and Sofacy.

Figure 4: GetProcAddressEx2 from Carberp and Sofacy

And here’s a similar comparison for GetProcAddressEx from Carberp sources and decompiled code from a Sofacy binary.

GetProcAddressEx from Carberp and Sofacy

Figure 5: GetProcAddressEx from Carberp and Sofacy

In the decompiled code snippets, all the function names and variables have been named according to the Carberp sources on purpose, just for the sake of demonstration.

3.2. Code injection

Sofacy uses code injection for all networking code by injecting its own functions to browser processes. The processes are located using the Carberp process name hashing algorithm. The purpose of this setup is most likely to get around personal firewalls and other behavior detection systems.

The injection starts with a function named as InjectIntoProcess, which opens a process, injects code with InjectCode4 and runs it with CreateRemoteThread. Below is a snippet from Carberp.

InjectCode4 from the Carberp source.

Figure 6: InjectCode4 from the Carberp source

InjectIntoProcess and InjectCode4 from the Sofacy binary combines this functionality.

InjectIntoProcess from Sofacy

Figure 7: InjectIntoProcess from Sofacy

Figure 8: InjectCode4 from Sofacy

Figure 8: InjectCode4 from Sofacy

3.3. Mysterious Main Password

In the Carberp sources, there exists a password called as MainPassword, or RC2_Password or DebugPassword. One of the possible values of this password is “bRS8yYQ0APq9xfzC“, also used by Sofacy. The purpose of this password in Carberp is for example encrypting HTTP traffic. However, in Sofacy, it is used in quite a different manner. Sofacy has a modified algorithm for API resolution that uses the same password. In Carberp, the resolver has a clear text list of DLL names, which the index parameter in GetProcAddressEx2 refers to. In Sofacy, this list is obfuscated with a simple XOR-based algorithm, using the Carberp “main password”.

4. Conclusions

Based on the analysis presented in this blog post, it should now be evident that the new Sofacy downloader is based on Carberp source code. However, there are also some very strong differences, for example the API resolver and its use of the Carberp main password. What can we conclude about this connection? We think it means the Sofacy gang has a private source tree of Carberp source code. The use of the password for protecting DLL names in the resolver suggests that the source is more recent than what is publicly available in GitHub. Does it mean the Sofacy gang just cloned the source tree and continued development, or is it developed further by somebody else somewhere behind the scenes? That, we don’t know yet. But the Sofacy connection, in addition to recent incidents by Anunak/Carbanak (also based on Carberp) indicate that Carberp is still alive and kicking.

5. Hashes






5c3e709517f41febf03109fa9d597f2ccc495956 (decompiled code examples)

Buy Your Freedome With Cash Money

Our Freedome sales team ran a special promotion over the weekend and when I Tweeted about it, several people asked about the privacy of our payments processor. Short answer is this: we don’t get any access to your personal information. But what if you still don’t want to deal with ecommerce? No problem.

You can buy Freedome with cash money.

Cash can buy your Freedome.

Bitcoin not required.

Let’s say you’re in Germany. Just go visit one of or‘s physical locations and pick up a box.

Freedome for sale.

Freedome (code) inside a box.

The box is available at finer retailers in several regions, Tweet at @FreedomeVPN for more info.


Today’s Best Email

Software engineers automate everything…

A farewell message generated using a Markov chain model trained on past farewell emails.

Goodbye “Markov”!


LinkedIn Sockpuppets Are Targeting Security Researchers

Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs. Several of our researchers received these LinkedIn invitations themselves and Daavid from our Threat Intelligence team decided to investigate.

Here’s an example of one so-called “recruiter” account.

Jennifer White's LinkedIn profile

Who is this woman?

Areas of interest include pen testing and social engineering? You don’t say.

“Jennifer” supposedly works for Talent Src a.k.a. Talent Sources.

Talent Src's LinkedIn page.

(Note its specialties.)

A reverse image search shows that Talent Source’s logo isn’t original.

Google Images result for Talent Source's logo.

Google Images result for Talent Source’s logo.

And its Twitter account uses an egg. (Lazy.)


Here are Jennifer’s supposed colleagues…

The employees of Talent Source.

The “employees” of Talent Source.

Each recruiter account is focused on a particular type of specialist.

Reverse image searches of Alex, John, Monika, and Silvia yielded no results… at first. Daavid flipped the images and then located mirror copies on Instagram as well as some legitimate LinkedIn profiles. Reverse image search engines would do well to offer mirror searches as an option. We weren’t able to locate the source of Jennifer’s photo.

And now, Jennifer and the other recruiter accounts are gone.

This seems to be the modus operandi of whomever is behind these accounts, as Fox-IT’s Yonathan Klijnsma explained on Twitter.

(Or attractive male.)

Discouragingly, Daavid discovered that one of Jennifer’s connections gave her a bunch of endorsements for skills that the account clearly didn’t deserve based on the published work history. At least, not unless retailers are training clerks to reverse engineer software. When asked about it, the connection (an employee of a large US-based defense contractor) admitted that it was a bad habit to give out such endorsements without really knowing the other person.


If you look back to the employee list, you’ll see that “Hannah” was focused on security executives. Let’s hope none of them gave away any important details.


You’ve Got Robot Mail

I listened to the BBC World Service’s Click podcast this morning during my commute and learned that Posti (Finland’s postal services provider) is testing drone delivery.

Source: Posti

Posti has a video of the “robottikopteri” in action on its YouTube channel.

Coincidentally, on my walk home last night, I heard the sound of a quadcopter flying around somewhere my neighborhood. A telling sign of the times? Will we all soon need to get used to the overhead drone of UAVs?

For a deeper discussion on the many possibilities, pros and cons, that may result from drone/UAV tech, check out these episodes of Click:


Trackers Are Out Of Control

Modern web analytics and tracking are completely out of control. And it’s not even a privacy issue for me at this point – it’s more about usability. Trackers are practically recreating the “dial-up Internet” experience. (Ask your parents, kids.) It’s 2015 – but a lot of websites load like it’s 1999.

And it seems like the problem turns up just about everywhere these days.

Let’s take a look at a well known brick and mortar retailer’s website using Ghostery for visualization. Here’s the US localization of Ikea’s website, with third-party cookies enabled.

Ikea's US localization with third-party cookies allowed.

Ikea’s US localization with third-party cookies allowed. (Firefox 40 for Windows.)

According the Ghostery, 9 different tracker resources are loading. (I use Ghostery for visualization, not for blocking.) Okay, fair enough.

Now here’s the Finnish localization of Ikea’s website, with third-party cookies not allowed.

Ikea's Finnish localization with third-party cookies disabled.

Ikea’s Finnish localization with third-party cookies disabled.

According to Ghostery, 11 different trackers are loading. But remember… this is with no third-party cookies. So what happens when third-party cookies are enabled?

38 more trackers come join the party!

Ikea's Finnish localization with third-party cookies allowed.

Ikea’s Finnish localization with third-party cookies allowed.

That’s 49 trackers in total. (Feels just a bit excessive, no?)

I really don’t get this, I just want to do some window-shopping before I visit the physical store.

But anyway…

If an opening set of trackers are allowed to load successfully and to drop their cookies, they’ll often go fetch more resources, and that slows down your browsing as a result.

I typically disallow all third-party cookies in my efforts to block trackers. This very rarely creates any conflicts for me. However, one of my colleagues has tested this setting and discovered that he cannot sign-in to sites such as Sony’s PlayStation Network. (But for that I’d recommend a using a second browser.) So factor that in mind.

In your primary browser, I recommend setting “accept third-party cookies” to “never”.

Here’s Firefox 40 for Windows.


Firefox > Options > Privacy

Here’s the settings in Chrome 44 for Windows.


Chrome > Settings > Show advanced settings > Content settings

And here are the settings for iOS 9.

iOS 9 Settings, Safari, Privacy & Security

iOS 9 > Settings > Safari > Privacy & Security

I use “Allow from Current Website Only” in iOS.

iOS 9 Settings, Safari, Privacy & Security, Block Cookies

iOS 9 > Settings > Safari > Privacy & Security > Block Cookies

And then of course, you can also block tracking resources on the network side via a VPN with tracking filters.

Ikea's Finnish localization with third-party cookies allowed, using Freedome.

Ikea’s Finnish localization with third-party cookies allowed, using Freedome.

As you can see above, our Freedome VPN reduces the number of trackers that attempt to load to a mere two. Much better.

Whatever approach you opt for, killing trackers as early as possible will yield a better browsing experience.

Happy hunting.


Visiting INTERPOL’s New Complex

INTERPOL's Global Complex for Innovation in SingaporeMe and Su Gim Goh from our Malaysian lab had a chance this week to visit INTERPOL’s new Global Complex for Innovation which is located in Singapore. Inside, a fleet of analysts from around the world investigate international crime – including cyber-crime.

While we can’t go into details, it was nevertheless impressive to see the level of expertise their staff had on things like Tor and Bitcoin.

Signing off,


Amazon Says No To Flash Ads

Flash-based malvertising has run amok lately. So it was only a matter to time before something like this was announced:

“Beginning September 1, 2015, Amazon no longer accepts Flash ads on, AAP, and various IAB standard placements across owned and operated domains.”

Amazon Advertising Technical Guidelines

Amazon Advertising Technical Guidelines.

Amazon is doing more than banning Flash. For example…

  • Content must only come from the serving ad server’s domain
  • Named domains only, no raw IP addresses are allowed
  • Display URL must be the actual destination, no redirects

And more.

This is a very good move on Amazon’s part and hopefully other companies will follow suit sooner than later. Flash-based ads are now an all-too-common security risk. Everybody will be better off without them.


It’s A Trap!

Be careful out there. Simple bait often works best… Here’s a example of some current spam with an Excel file attachment named: Payment instruction & Swift.xls The Excel file attachment contains malicious Macro programming which will attempt to download and install DarkComet RAT. F-Secure detects this attachment (and others like it) as W97M.Downloader.C. Nasty stuff. […]


About The Security Content Of iOS 8.4.1

Whenever there’s a new version of iOS, I always like to know more about the security updates. Apple Support hosts the main Apple security updates page. From there you can find the update information for iOS 8.4.1, which addresses 71 vulnerabilities. This update is not very large in file size, so all things considered, it’s […]


Malware On The Water

Never seen this before: lyrics for first verse of Deep Purple's "Smoke on the Water" embedded in a malware sample — Artturi Lehtiö (@lehtior2) August 13, 2015


Duke APT Group’s Latest Tools: Cloud Services and Linux Support

Recent weeks have seen the outing of two new additions to the Duke group’s toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it’s written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we […]


I, For One, Welcome Our New Platforming Overlords

Latest attempt to inject Mario with AI is unnerving: ~ Mario is apparently the form of the destructor. #singularity — Sean Sullivan (@5ean5ullivan) January 20, 2015