Monthly Archives: May 2014

We’re moving and expanding!

This blog is moving (and expanding) to a full IT security news and views site ( Latest news on ITsecurity But that’s all folks. If you want to keep up with the latest news and views, hop over to ITsecurity! Two iPhone hackers probably behind the Oleg Pliss attacks arrested in Russia CESG advice on […]

More on the Avast breach and the hash used

My understanding is that the hash formula used by Avast to store its forum users’ passwords was $hash = sha1(strtolower($username) . $password); This is the formula built into the SMF open source forum software used by Avast. It is both good and bad. It confirms that the hash was salted (with the user’s username); but […]

Avast forum hack demonstrates we need password storage disclosure

A blog post early this morning by Avast Software CEO Vince Steckler announced The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. AVAST forum offline due to attack Avast’s […]

Hector ‘Sabu’ Monsegur to be sentenced while Hammond sits in prison

A common cry in Anonymous circles is ‘Free Jeremy Hammond; Fuck Sabu’. Jeremy Hammond is currently serving a ten-year prison sentence for his involvement in the Stratfor hack. Sabu (real name Hector Xavier Monsegur) will be sentenced tomorrow for his role in Lulzsec and many other hacks. He is expected, on FBI request, to walk […]

Catching up on recent crypto developments

When I started this blog, the goal was to write long-form posts that could serve as a standalone intro to security and crypto topics. Rather than write about the history of the NSA as planned, I’ll try writing a few short notes in hopes that they’ll fit better within the time I have. (Running a company and then launching a new one the past few years has limited my time.)

Heartbleed has to be the most useful SSL bug ever. It has launched not just one, but two separate rewrites of OpenSSL. I’m hoping it will also give the IETF more incentive to reject layering violations like the heartbeat extension. Security protocols are for security, not path MTU discovery.

Giving an attacker a way to ask you to say a specific phrase is never a good idea. Worse would be letting them tell you what to say under encryption.

Earlier this year, I was pleased to find out that a protocol I designed and implemented has been in use for millions (billions?) of transactions the past few years. During design, I spent days slaving over field order and dependencies in order to force implementations to be as simple as possible. “Never supply the same information twice in a protocol” was the mantra, eliminating many length fields and relying on a version bump at the start of the messages if the format ever changed. Because I had to create a variant cipher mode, I spent 5x the initial design time scrutinizing the protocol for flaws, then paid a third-party for a review.

As part of the implementation, I provided a full test harness and values covering all the valid and error paths. I also wrote a fuzzer and ran that for days over the final code to check for any possible variation in behavior, seeding it with the test cases. I encouraged the customer to integrate these tests into their release process to ensure changes to the surrounding code (e.g., 32/64 bit arch) didn’t break it. Finally, I helped with the key generation and production line design to be sure personalization would be secure too.

I firmly believe this kind of effort is required for creating security and crypto that is in widespread use. This shouldn’t be extraordinary, but it sadly seems to be so today. It was only through the commitment of my customer that we were able to spend so much effort on this project.

If you have the responsibility to create something protecting money or lives, I hope you’ll commit to doing the same.

Episode #178: Luhn-acy

Hal limbers up in the dojo

To maintain our fighting trim here in the Command Line Kung Fu dojo, we like to set little challenges for ourselves from time to time. Of course, we prefer it when our loyal readers send us ideas, so keep those emails coming! Really... please oh please oh please keep those emails coming... please, please, please... ahem, but I digress.

All of the data breaches in the news over the last year got me thinking about credit card numbers. As many of you are probably aware, credit card numbers have a check digit at the end to help validate the account number. The Luhn algorithm for computing this digit is moderately complicated and I wondered how much shell code it would take to compute these digits.

The Luhn algorithm is a right-to-left calculation, so it seemed like my first task was to peel off the last digit and be able to iterate across the remaining digits in reverse order:

$ for d in $(echo 123456789 | rev | cut -c2- | sed 's/\(.\)/\1 /g'); do echo $d; done

The "rev" utility flips the order of our digits, and then we just grab everything from the second digit onwards with "cut". We use a little "sed" action to break the digits up into a list we can iterate over.

Then I started thinking about how to do the "doubling" calculation on every other digit. I could have set up a shell function to calculate the doubling each time, but with only 10 possible outcomes, it seemed easier to just create an array with the appropriate values:

$ doubles=(0 2 4 6 8 1 3 5 7 9)
$ for d in $(echo 123456789 | rev | cut -c2- | sed 's/\(.\)/\1 /g'); do echo $d ${doubles[$d]}; done
8 7
7 5
6 3
5 1
4 8
3 6
2 4
1 2

Then I needed to output the "doubled" digit only every other digit, starting with the first from the right. That means a little modular arithmetic:

$ c=0
$ for d in $(echo 123456789 | rev | cut -c2- | sed 's/\(.\)/\1 /g'); do
echo $(( ++c % 2 ? ${doubles[$d]} : $d ));


I've introduced a counting variable, "$c". Inside the loop, I'm evaluating a conditional expression to decide if I need to output the "double" of the digit or just the digit itself. There are several ways I could have handled this conditional operation in the shell, but having it in the mathematical "$((...))" construct is particularly useful when I want to calculate the total:

$ c=0; t=0; 
$ for d in $(echo 123456789 | rev | cut -c2- | sed 's/\(.\)/\1 /g'); do
t=$(( $t + (++c % 2 ? ${doubles[$d]} : $d) ));

$ echo $t

We're basically done at this point. Instead of outputting the total, "$t", I need to do one more calculation to produce the Luhn digit:

$ c=0; t=0; 
$ for d in $(echo 123456789 | rev | cut -c2- | sed 's/\(.\)/\1 /g'); do
t=$(( $t + (++c % 2 ? ${doubles[$d]} : $d) ));

$ echo $(( ($t * 9) % 10 ))

Here's the whole thing in one line of shell code, including the array definition:

doubles=(0 2 4 6 8 1 3 5 7 9); 
c=0; t=0;
for d in $(echo 123456789 | rev | cut -c2- | sed 's/\(.\)/\1 /g'); do
t=$(( $t + (++c % 2 ? ${doubles[$d]} : $d) ));
echo $(( ($t * 9) % 10 ))

Even with all the extra whitespace, the whole thing fits in under 100 characters! Grand Master Ed would be proud.

I'm not even going to ask Tim to try and do this in CMD.EXE. Grand Master Ed could have handled it, but we'll let Tim use his PowerShell training wheels. I'm just wondering if he can do it so it still fits inside a Tweet...

Tim checks Hal's math

I'm not quite sure how Hal counts, but I when I copy/paste and then use Hal's own wc command I get 195 characters. It is less than *2*00 characters, not long enough to tweet.

Here is how we can accomplish the same task in PowerShell. I'm going to use a slightly different method than Hal. First, I'm going to use his lookup method as it is more terse then doing the extra match via if/then. In addition, I am going to extend his method a little to save a little space.

PS C:\> $lookup = @((0..9),(0,2,4,6,8,1,3,5,7,9));

This mutli-dimensional array contains a lookup for the number as well as the doubled number. That way I can index the value without an if statement to save space. Here is an example:

PS C:\> $isdoubled = $false
PS C:\> $lookup[$isdoubled][6]
PS C:\> $isdoubled = $true
PS C:\> $lookup[$isdoubled][7]

The shortest way to get each digit, from right to left, is by using regex (regular expression) match and working right to left. A longer way would be to use the string, convert it to a char array, then reverse it but that is long, ugly, and we need to use an additional variable.

The results are fed into a ForEach-Object loop. Before the objects (the digits) passed down the pipeline are handled we need to initialize a few variables, the total and the boolean $isdoubled variables in -Begin. Next, we add the digits up by accessing the items in our array as well as toggling the $isdoubled variable. Finally, we use the ForEach-Object's -End to output the final value of $sum.

PS C:\> ([regex]::Matches('123456789','.','RightToLeft')) | ForEach-Object 
-Begin { $sum = 0; $isdoubled = $false} -Process { $sum += $l[$isdoubled][[int]$_.value]; $d = -not $d }
-End { $sum }

We can shorten the command to this to save space.

PS C:\> $l=@((0..9),(0,2,4,6,8,1,3,5,7,9));
([regex]::Matches('123456789','.','RightToLeft')) | %{ $s+=$l[$d][$_.value];$d=!$d} -b{$s=0;$d=0} -en{$s}

According to my math this is exactly 140 characters. I could trim another 2 by removing a few spaces too. It's tweetable!

I'll even throw in a bonus version for cmd.exe:

C:\> powershell -command "$l=@((0..9),(0,2,4,6,8,1,3,5,7,9));
([regex]::Matches("123456789",'.','RightToLeft')) | %{ $s+=$l[$d][$_.value];$d=!$d} -b{$s=0;$d=0} -en{$s}"

Ok, it is a bit of cheating, but it does run from CMD.

Hal gets a little help

I'm honestly not sure where my brain was at when I was counting characters in my solution. Shortening variable names and removing all extraneous whitespace, I can get my solution down to about 150 characters, but no smaller.

Happily, Tom Bonds wrote in with this cute little blob of awk which accomplishes the mission:

awk 'BEGIN{split("0246813579",d,""); for (i=split("12345678",a,"");i>0;i--) {t += ++x % 2 ? d[a[i]+1] : a[i];} print (t * 9) % 10}'

Here it is with a little more whitespace:

awk 'BEGIN{ split("0246813579",d,"");
for (i=split("12345678",a,"");i>0;i--) {
t += ++x % 2 ? d[a[i]+1] : a[i];
print (t * 9) % 10

Tom's getting a lot of leverage out of the "split()" operator and using his "for" loop to count backwards down the string. awk is automatically initializing his $t and $x variables to zero each time his program runs, whereas in the shell I have to explicitly set them to zero or the values from the last run will be used.

Anyway, Tom's original version definitely fits in a tweet! Good show, Tom!

#DigitalFreedom is always on the ballot — so vote!

“Should we worry?” Mikko Hypponen asked during his TED Talk How the NSA betrayed the world’s trust — time to act. “No, we shouldn’t worry. We should be angry, because this is wrong, and it’s rude, and it should not be done.”

What can be done to force politicians to listen people who are fed up with the internet and smartphones being turned into tracking tools?

One of the most direct actions any citizen can take in a functioning democracy is to vote for candidates who respect #digitalfreedom. Elections for all 751 Members of the European Parliament will be held across the European Union from 22 -25 May.

Unfortunately, in elections where voters are not motivated or informed, it’s those already with power who tend to have the most influence over the results. is attempting to raise the prominence of digital rights issues by encouraging candidates for the European Parliament to endorse a 10 Point Charter of Digital Rights. Like our own #DigitalFreedom Manifesto, it lays out what governments need to do to regain our trust.

Unfortunately only 3,615 of the 503 million people living in the EU have endorsed the Charter. But it’s a start.

The old saying is, “If you don’t vote, you can’t complain.” Now we should say, “If you don’t vote #digitalfreedom, the government will know all your complaints — whether you want them to or not.”



[Image by Rob Boudon via]

Why we Like Facebook’s new malware cleanup tool

Have you ever encountered a Facebook post that appears to be done by a friend, but promotes something you’re quite sure your friend would not promote? Like free meds, too-good-to-be-true work at home gigs, or “shocking new must-see” videos. The good news is, you’re right, it’s not really your friend having undergone a sudden personality change. The bad news is, your friend’s device is probably infected by malware.

We’re proud to announce that F-Secure is now partnering with Facebook to make it easier to clean up Facebook users’ malware-infected devices. When Facebook identifies an account behaving suspiciously in a way that is consistent with a malware infection, Facebook will offer a free F-Secure-powered scanner. The scanner is no-hassle: It will run through and clean up any malware on the device, then remove itself once done.










If you (or your friend) ever get this message, be sure to run the scanner, even if you already have a security product installed. Malware can allow someone else to take control of your Facebook account, collect info from your account, and send spam that looks like it’s from you – so you’ll want to get it cleaned up ASAP.

And be careful where you click, too – that “shocking” video or that browser add-on that promises to show you who’s viewing your Timeline could be what’s spreading malware in the first place.

If you’d like to check if your computer is infected by malware right now, you don’t need to wait to be prompted by Facebook – you can use our free Online Scanner anytime.

Here’s to F-Secure and Facebook fighting malware!


Banner image courtesy Mooi,

FBI indicts five members of the Chinese military for hacking US companies

Eric Holder yesterday announced: “Today, we are announcing an indictment against five officers of the Chinese People’s Liberation Army for serious cybersecurity breaches against six American victim entities.” The five officers are known by the aliases UglyGorilla, Jack Sun, Lao Wen, hzy_1hx and KandyGoo. They are members of the PLA’s military unit 61398 (you may […]

Worldwide crackdown on BlackShades RAT users

First official indications emerged at the Reuters Cybersecurity Summit (although there have been rumblings in hacker circles for a couple of weeks now). This was last Wednesday. The FBI executive assistant director Robert Anderson, appointed in March to oversee ‘all FBI criminal and cyber investigations worldwide, international operations, critical incident response, and victim assistance’, announced: […]

5 Fab F-Secure Tech Moms on How They Do It All

In honor of Mother’s Day, we’re featuring five cool tech moms at F-Secure. Here’s they talk about balancing work and family, parenting in a world of digital technology, why they love tech, and they share favorite apps and tech tips for home life. And Happy Mother’s Day to all you moms!


mom_christine_textHow did you get interested in tech?

Christine: I had several great teachers in Russia growing up, who inspired me in math, science and technology. They treated boys and girls equally and provided opportunities for us to explore and learn deeper. We also had programming in secondary school, which really interested me.

Feng Ping: I was always good in math and interested in computers, but not so interested in literature or accounting or other areas that are traditionally “girl” areas in China. When I came to Finland I realized I had the opportunity to study whatever I wanted. I began doing my master’s here in computer science.

Paivi: I started out at F-Secure in marketing, and from there I learned the security industry. I’m actually not a real techie, so I think my role is more to see things from the end customer point of view and then simplify it for them. Human behavior is very interesting to me.

Sarika: When I had a chance to study computers in school, it always interested me how they worked. I can still remember those big computers with black and white displays and floppy disk storage. My interest carried on so I pursued a degree in computer science. The technology world has changed a lot since then – sometimes it’s difficult to keep up.

Anu: My education is in marketing and social sciences. I’m interested in systems and how they work as a whole. That led me to an interest in the service platforms area, seeing how technology can be used to improve systems and serve the people using them. I like to think from the customer point of view and make sure services work flawlessly for them. 


mom_fengping_textWhat’s the best thing about being a mom?

Christine: I learn a lot from my kids. With kids, you are not only giving to them, you are also learning from them. To help them grow, sometimes you need to change yourself. My kids are very different from each other, and I’m learning all the time, and I also enjoy being their friend.

Feng Ping: I love my boys without condition, and I like to see them grow and change almost every day. Of course, with parenting there’s mixed feelings. Kids are a joy but they are also demanding, physically and mentally.

Paivi: We’re a big family, and when we do something together and everyone is in a good mood and everything goes well, it feels really great! And of course it’s fun to see them grow and learn new things.

Sarika: Quite a lot of things! You get to sort of relive your childhood, you understand your own parents more, you can see things in your child that resemble you or your spouse. Also playing with him, teaching him. When you come home tired and open the door, your baby is smiling at you and you forget any stresses from work.

Anu: Getting to raise a personality, and getting them to raise me. Every single development phase is different and fun, though not always easy!


mom_paivi_textWhat’s your biggest challenge parenting in a tech world?

Christine: Nowadays because of the Internet we’re not the only source of information for our kids. When kids ask you something and you don’t know, you have to check on the Internet – but of course they can just check the Internet too and second guess you! It must be tough being a teacher nowadays. One of my sons was complaining that his teacher was just reciting off of Wikipedia.

Feng Ping: With my older boy right now, I’m a bit concerned because I don’t want him to get too addicted to video games. With my younger boy, feedings will not happen if there is no video or cartoon playing! It’s so easy to put technology in front of kids, but then it’s a bit worrying too.

Paivi: With my job managing Freedome, there are always things happening even when I’m not working. I feel guilty when I’m with the kids but not really present because I’m checking my phone to see what’s happening with work. There’s no “8 to 4” with my job. As far as technology with the kids, I talk to them, especially my oldest, about how to behave online, not using his real name, what to say and not to say online, etc.

Sarika: Wondering when we should start exposing our son to technology. There is a lot of advice online and I know we shouldn’t expose him to too much too soon. My son plays with my phone sometimes and when the screen locks, he’ll come to me wanting me to unlock it. So when he knows to do this, should I be happy or should I be worried?! But as he grows, we will guide him.

Anu: Broadening the area that I need to be aware of and teach my kids about. I try to teach them that in the digital world, you need to be safe and respect others just like in the real world. In the digital world being safe means protecting your privacy and identity, with proper passwords for example. And just as you shouldn’t be rude to someone in the real world, you don’t do that digitally either. We respect ourselves and each other, in both worlds, and I teach them what that looks like.


mom_sarika_textHow do you balance work and home life?

Christine: You have to prioritize of course. Something always suffers – then you try to make it so things don’t suffer too much. I’m probably not the mom who will be remembered for my cooking!

Feng Ping: I’m flexible, not so strict at home. Things don’t have to be perfect. Every day is hectic. I sleep less than I used to – usually six hours a night. I found out that I can get by on less sleep than I thought.

Paivi: I start early – I try to be at work at 7am so I can pick up the kids earlier in the afternoon. We do as much as possible together with the kids, and involve them in cooking and cleaning and shopping too. I try not to work in the evening unless it’s really urgent.

Sarika: Plan ahead! My husband and I use a whiteboard to plan out our week in advance. We have a grocery shopping day, a laundry day. I use my work commute for making calls or reading something.

Anu: I work remotely to get the flex needed, like if the kids are sick. When I’m not working, I take the kids along in everyday life. We cook together, I teach them how to do things and they help out. You can’t do it all so it gets down to the essentials. Figuratively speaking, I don’t sit and polish my cutlery. I rather use that time for reading or cycling with the kids.


mom_anu_textDo you have a favorite app or  tech tip for home life?

Christine: My kids and I use F-Secure Lokki. to know where each other is throughout the day. It’s very good if you have teenagers. Maybe they are at the skate park and they don’t hear their phone ring because it’s in their backpack, which is lying on the ground, but you can still see where they are.

Feng Ping: We use Moves to monitor our family’s daily physical activity. For example, it tells that I walked 2,6 kilometers and biked 8 minutes yesterday, and shows a map with my route.

Paivi: Using a shared calendar app to keep track of family commitments really helps. My husband and I use one to keep track of dates for kids’ hobbies, events, exams and other things that are going on. It’s one place to check what’s going on with the family.

Sarika: I use List Ease for our grocery shopping list. It saves me time and helps me make sure I don’t forget anything. We also keep in touch with our family and friends in India via Skype.

Anu: To keep my kids from accidentally purchasing anything online, I use password-protected access and purchase options for each of our household devices. Also, if you get familiar with your devices’ security and privacy options, it helps you feel more in control. And of course, use security software to protect your devices. We also use F-Secure Lokki in my family – feeling more secure knowing where each other is has been important, especially for my daughter.


Antivirus is dead? Yep. Where’ve you been?

People are saying antivirus is dead, and they’re right.

What most people call antivirus has been as dead as doornail for more than five years.

Simply identifying specific files as malicious software by checking them against some sort of blacklist just isn’t good enough to stop attacks from modern cybercriminals, which is why we updated our technology more than half a decade ago.

Traditional antivirus protection fails, for instance, against so-called “drive-by attacks.”

In these common attacks, a user visits a particular website and a completely unique file is created to exploit vulnerabilities and infect a user’s PC.

That’s why any security solution worth having now uses reputation-based detection. Instead of only checking a file against a list of malicious files, we are now also looking at file’s genealogy. If it’s unique and has never been seen before, our reputation-based protection find it highly suspicious.

“The bad guys think that they can get around detection by creating a unique malicious file for every user. But this is exactly how we beat them,” Hypponen says.

Exploits such as drive-by are the most common way both for consumers and business users get infected today. There are millions of malware samples out there, but only a few dozen vulnerabilities are widely exploited at any given time.

It’s a choke point: If we prevent the exploit from taking place, the malware never gets into our customer’s computer.

“Reputation-based detection is a bit like digital Judo,” explains F-Secure’s Chief Research Officer Mikko Hyppönen. “We take an enemy’s attacks and turn them against him—or her.”

“On this note, we often see references to tests focused on antivirus signature scanning,” said F-Secure’s Chief Technology Officer Mika Ståhlberg. “Some of these are even done using VirusTotal. These kinds of tests only measure 10-year old technology and do not include reputation detection.”

Testing should always be “real world. That means it should use all the features of a product – preferably with the default settings users use most often. Tests should also include all the steps of a possible infection, including the exploit step.


Antivirus is dead. Long live reputation-based antivirus.

[Image by Robert S. Donovan via Flickr.]

Install service for Malware affiliates and individuals

This install service was running since a long time but the server recently died.
People targeted are from Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.


Statistics by days:
(Date, Unique visits, General visits)

Statistics by countries:
(Countries, Unique visits, Percentage, General visits)

Statistics by version:
(Version, Unique visits, Percentage, General visits)

Statistics by time:
(Time,  Users)

(Date, Already installed, ???? installed, Successfully installed, Copy failed, Modify failed, Register failed)

(Date, Begin update, Downloaded update, Executed update, No ATL, Execution failed)

Statistics by tasks:
(Date, Start of xxxx, Searches, Clicks, ???)

Statistics by sites:

Statistics by ads:

Loader, users list:
 (Nickname, ID, Priority, Ban, GEO, Days, General limit, Working conditions, Today, Summary, Size, Time, File)

There is some interesting people in this listing:
Severa (Know for FakeAV, Spam)
Malwox Affiliate (Mayachok.1)
Feodal cash Affiliate (Bitcoin malware)

And if you want to know about the EXE files loaded... all are malwares (Zeus,SpyEye, Russian lockers, Spam bots, Mayachok... etc..)
The x64 Zbot covered by Kaspersky also come from here.
The executables was rotating and was refreshed constantly, from this system, around 400 samples can be pulled per day.

Download statistics for client 191 ( Malwox TEST ):
(Date,  Derved, Executed, Ctr, Create, Exists, Down, Run, Unp)

Edit user:

Add user:

Schedule for user:

Menu: users list, add, FTP, Stats.

For the FTP list, most of accounts were with shell on them.


From the source:
$useZorkaJob = 0; //схч чрїюфр
$useSputnikJob = 0;
$useRekloJob = 0;
$useSpoiskJob = 0;
$useBegunCheatJob = 0;
Begun is one of the biggest ads services in Russia.


ATSEngine injects can be found oftenly inside Zeus configs, it makes the webinjects more dynamic because most of the content is located remotely and can be updated much easily instead of sending new config to all the bots.
It's the main difference with this, and a standard web inject inside Zeus.
One just allows you to do a static change in the page while the other gives you much more options, for example, customized webinjects, pop-ups, online requests for token etc...
ATSEngine have also a jabber alert feature, it let the fraudster know when the victim is logged to his bank account so it would be a god time to backconnect him (with the VNC feature of Zeus) and do the transaction.
Most of ATSEngine panels are also hosted on SSL because banks use SSL.

ATSEngine on a ZeusVM config.

ATSEngine on a Citadel config.
Example of figrabber.js from an ATSEngine panel.

Some guys do also a business with this type of web injects, for example:
He's offering a service for writing injects.
The title says "Auto-uploads and Injects from professionals for professionals"
The rest of the text explains how the service works, it's more a terms and conditions post rather than a technical description of the product, about moneyback, privacy, guarantees and other stuff.
They dont write mobile botnets, trojan horses, traffic direction systems or other malware software except injects, also they dont guarantee bypass of protection (like Rapport).
yummba is know anyway for writing injects for ATSEngine.

Let's have a look on a C&C now..



Options main:

Options Jabber:

Another panel, on SSL:

Another panel, on SSL:

Another panel, still on SSL:


Additional fields rules:

Additionnal fields rules (texts):

Edit rule:

Edit text:

VBV/MCSC rules:

Add a rule:


Options (CC Checker):

Files, dumped from another panel, targeting La banque Postal (a French bank):