Reflash Flash Research Framework

https://labsblog.f-secure.com/2017/02/23/reflash-flash-research-framework/

http://labsblog.f-secure.com/?p=2359

Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various tools.

Jarkko presented the tool at AVAR 2016 and some people have asked about its availability. So… here it is, released as open source under a GPL-v3 license.

In the Reflash repository, there is also a technical research paper for those interested in the internals of the tool.

reflash-practical-actionscript3-instrumentation-abstract

And Jarkko’s presentation, available here, is helpful for those wanting to set up the tool.

reflash-jarkko-turkulainen-avar-2016

Jarkko presenting at AVAR 2016.

Share and enjoy.


Tagged: Flash, Malware, Paper, Presentation, Security Research, Th3 Cyb3r

Bitcoin Friction Is Ransomware’s Only Constraint

https://labsblog.f-secure.com/2017/02/22/bitcoin-friction-is-ransomwares-only-constraint/

http://labsblog.f-secure.com/?p=2349

In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) rather than all.

Also part of the portal… a group chat function for support requests. Multiple conversations all strung together, making for a fascinating read overall.

Spora.bz Public Communication

Among recent conversations is a bit.ly link to a forum page on the site Bleeping Computer where the “Spora Administrator” wanted reviews left, as evidence that paying the extortion results in unencrypted files.

The bulk of clicks, according to bit.ly statistics, occur on a Tuesday. FYI: running a cyber extortion scheme is a regularly scheduled job and spam runs go out on Tuesdays.

A great deal of the chat support issues revolve around one thing… Bitcoin.

7: I dont have a bitcoin account yet and cant make it within 3 days, as you know.

Support: We removed all deadlines for you.

Apparently “7” thinks it’s not so easy to setup a Bitcoin account “as you know”.

And here’s another practicality, many people exist in the cash economy.

A: Admin, I dont know what checked the course means. It is hard to purchase bitcoins in the US I drove over 200 miles to purchase 500 worth, they took 10% you take 11% I had USD70 in a different wallet you took 11%, you have USD466 and I have no way to purchase more until tomorrow and will once again have to drive 200 mile to get them and get home. Please consider.

Support: No problem

Many people don’t have the needed resources to buy Bitcoins online. Credit is required, and there are plenty of people with insufficient credit. For them, a physical Bitcoin ATM or “brick-and-mortar” retailer is required.

We should be thankful that there are at least some limits on purchasing Bitcoin. If it were any easier to do so, very little else would check the growth of crypto-ransomware’s business model. The malware technology to encrypt data has been possible for many, many years; the bigger challenge has always been getting paid.

In the past, cyber crime schemes (such as scareware) have been killed off by disrupting the money supply. The same may well be true of cyber extortion; to kill the business model, it may be necessary to ban Bitcoin.


This article was originally published in our State of Cyber Security 2017 report.

Now available! A new supplemental appendix which includes 34 pages (more than 20,000 words) of Spora “tech support” chats.


Tagged: Crypto, Malware, Ransomware, Th3 Cyb3r, Threat Report

F-Secure Does Cyber Security

https://labsblog.f-secure.com/2017/02/15/f-secure-does-cyber-security/

http://labsblog.f-secure.com/?p=2338

For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security.

The new title reflects a change in the type of content you can expect to read in the report. Although we still have portions devoted to this year’s malware landscape, the report is largely focused on cyber security at large and stories from the field.

In my previous post, I mentioned we’d be making a lot more noise about the work of our Cyber Security Services division. This report is one of the steps we’ve made in that direction. And another nice change you’ll notice is that this year’s report includes several contributed articles from some of our friends and partners.

This report took a lot of hard work to put together, but my colleagues and I had fun creating it. We hope you have just as much fun reading it!

Finally… here’s a link to the report.


Tagged: Incident Response, Malware, Statistics, Th3 Cyb3r, Threat Report