" Knowledge Base For IT Security Professionals and Computer Hobbyists in Malaysia."

Monday, July 22, 2013

Pictures from F-Secure's National Inter-Varsity IT Security Competition


Kuala Lumpur, 19 June 2013 – After one month of intense competition, undergraduate’s trio – Tan Jin Fu, Ong Yi Hao and Soh Chong Hwa - from Multimedia University (MMU), Malacca emerged triumphant as the grand prize winner for the 2013 F-Secure’s National Inter-Varsity IT Security Competition. 

The competition was organized by F-Secure in partnership with MDeC (Multimedia Development Corporation) in attempt to develop local talents and encourage more Malaysian undergraduates to venture into the field of IT security through education.

The objective of the competition was to provide opportunities for all full-time IT undergraduate students enrolled in all Malaysian public and private universities to participate in a friendly competition during which they were able to apply their academic knowledge and personal interest in the field of IT security. 

 It was a tough match as both teams attempted questions on IT Security

We strongly believe in investing and developing young minds at local universities in effort to raise awareness on information security issues in Malaysia. The response from undergraduates so far has been promising. There is genuine interest for internet security in Malaysia and with this IT security competition, we believe we had provided an avenue for more Malaysians to move into this industry”, said Goh Su Gim, Security Advisor Asia Pacific, F-Secure Labs.

Over the past month, F-Secure representatives ventured throughout the country to administer qualifying tests to almost 200 participants from 28 universities. The responses were encouraging with teams flown down all the way from Labuan and Penang to participate in the Semi-Finals. After a tough screening, Team ‘CIA Triad’ from University Sains Malaysia (USM) and ‘Little Pwnies’ from Multimedia University (MMU) Malacca advanced to the final round.

The winning team won the grand prize - three branded, high-end Windows 8 laptops worth RM5, 000 each, while the 1st runner-up team received three Android tablets worth RM2, 000 each. Additionally, both teams were equally thrilled as the chief judge for the competition was none other than Mikko Hyppönen, internationally acclaimed, computer security expert and Chief Research Officer of F-Secure Corporation.

“We were overwhelmed with joy when we heard that we won! It was truly a privilege to meet the renowned Mikko himself and to learn from him. As a team, we gave it our best and look forward to venture into the field of IT security in the near future,” said Tan Jin Fu, team leader of ‘Little Pwnies’ MMU.

For more information about F-Secure Malaysia and their services, please visit  http://www.f-secure.com or call 603 2264 0200. You can also connect with F-Secure through Facebook at http://www.facebook.com/FSecure and follow them on Twitter at https://twitter.com/fsecure.

Click on the pictures to view a bigger version.

Mikko Hypponen Presenting the Champion trophy

Mikko Hypponen with the Champion Team Little Pwnies
  Participants waiting eagerly for the competition to commence
  Team Little Pwnies from MMU Malacca emerged as champions

  Teams Little Pwnies, MMU and Team CIA Triad, U with Their Respective Lect.

Thursday, May 23, 2013

F-Secure Open Hackathon Kuala Lumpur 2013

"The F-Secure Open Hackathon in Kuala Lumpur is over. During 26 hours of active development time, a total number of 13 teams created applications based on the given F-Secure API’s and the overall topic of Web Security. All teams successfully delivered actual working software which is quite an achievement on its own. There were Chrome extensions for displaying site reputation, iPhone safe QR readers, Twitter filtering, malware detection visualizations and much more."

Most unexpected effect:

Liew Swee Meng and his FS Globe application. Showing malware detections in real time all over the world on a rotating 3D globe. Not to mention the unexpected Easter egg of seeing the world do the Harlem shake when clicking the F-Secure logo! 

Best use of API’s:

Fatin Ruzanna and Francis Fueconcillo and their Safe Tweet application. This application makes it possible to filter out bad links from your twitter followers and even block the offending user. Apart from using the F-Secure URL reputation API, this application also demonstrated use of other public API’s, such as twitter authentication. 

Most innovative application:

Tan Kok Boon and his Big data malware visualization and infection prediction application. Another application using the malware detections data, but this took it one step further. It was able to both trace how a particular infection spread, to predict where it would spread to next!

Best F-Secure team:

Again, Fatin Ruzanna and Francis Fueconcillo and their Safe Tweet application.  

Best overall achievement

Again, Tan Kok Boon and his Big data malware visualization and infection prediction application. 

Source: http://campaigns.f-secure.com/hackathon-kl/

//secureMalaysia.com is not affiliated with F-Secure nor was endorsed for publishing this page.

60 Minute Network Security Guide | SCRIBD

Sunday, September 23, 2012

Beware of G-Archiver

What would you do if you had purchased a software program that would archive your Gmail mails and found out that this software send your username and password to the Gmail account of the author of the software ? That’s apparently what has happened to users who purchased the program G-Archiver by someone named John Terry.

Dustin Brooks reverse engineered the program and discovered the plain text username and password of the software developer. He was wondering why someone put his own mail information in the source code and discovered that the user’s username and password would be send to that Gmail account.

With the login credentials at hand he decided to investigate further and logged into the Gmail account of John Terry only to find out that the Inbox had 1777 messages each containing usernames and passwords of users of the software.

gmail password thief

If you have been using G-Archiver make sure you change your password immediately and report the incident to the online store where you made the purchase. It would not be bad to contact Google as well because they are probably the ones with the best information to catch the guy.

Source: http://www.ghacks.net/2008/03/11/beware-of-g-archiver/

Saturday, September 22, 2012

How to Unlock a Computer Without a Password Reset Disk

A locked computer can result in dead-end frustration, potentially costing hundreds of dollars in repair bills. Unlock your computer without the aid of a password-reset disk by accessing the default Administrator account from Safe Mode and unlocking your computer via console commands. This can generally be done in minutes.


    • 1
      Restart the computer.

    • 2
      Press and hold down the "F8" key as the computer is booting. Release "F8" when a list of options appears and select "Safe Mode With Networking" from the list.

    • 3
      Click on the "Administrator" account.

    • 4
      Press the Start button on the lower left-hand side of the screen.

    • 5
      Type "control userpasswords2" in the text field that appears and press "Enter." Uncheck "Users must enter a username and password" and restart the computer. It will be unlocked.

    • 6
      If this does not resolve the situation, press the Start button and chose Control Panel from the menu that appears. Click the arrow in the Control Panel to bring down a drop-down box and choose "All Control Panel Items." Navigate to "User Accounts" and then "Manage Another Account." Choose your account and select the option to edit it. Select "Remove the password." Repeat for every account accessible through the Control Panel.

Thursday, September 20, 2012

The Morris worm

The Morris worm or Internet worm of November 2, 1988 was one of the first computer worms distributed via the Internet. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT.

Architecture of the worm

According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. However, the worm was released from MIT to disguise the fact that the worm originally came from Cornell. Additionally, the Morris worm worked by exploiting known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as well as weak passwords. Due to reliance on rsh (normally disabled on untrusted networks) it should not succeed on a recent, properly configured system.

A supposedly unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable. This would have the same effect as a fork bomb and crash the computer. The main body of the worm could only infect DEC VAX machines running 4BSD, and Sun-3 systems. A portable C "grappling hook" component of the worm was used to pull over (download) the main body, and the grappling hook could run on other systems, loading them down and making them peripheral victims.

The mistake

The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times. This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Morris remarked, when he heard of the mistake, that he "should have tried it on a simulator first."

Effects of the worm

It is usually reported that around 6,000 major UNIX machines were infected by the Morris worm. Paul Graham has claimed that
"I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."
The U.S. GAO put the cost of the damage at $100,000–10,000,000.

The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University to give experts a central point for coordinating responses to network emergencies. Gene Spafford also created the Phage mailing list to coordinate a response to the emergency.

Robert Morris was tried and convicted of violating United States Code: Title 18 (18 U.S.C. § 1030), the Computer Fraud and Abuse Act. in United States v Morris. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.

The Morris worm has sometimes been referred to as the "Great Worm", because of the devastating effect it had on the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet.

Source: http://en.wikipedia.org/wiki/Morris_Worm

Tuesday, September 18, 2012

Can we believe our eyes?

Several days ago, one of our customers submitted a sample
 (SHA1: fbe71968d4c5399c2906b56d9feadf19a35beb97, detected as TrojanDropper:Win32/Vundo.L).

 This trojan hijacks  the hosts “vk.com” and “vkontakte.ru” (both social networking sites in Russia)and redirects them to, but achieves this in an unusual way.

A common  method used to hijack a website and redirect it to a site of the attacker’s choice is to add an entry in the Windows hosts file located in the %SystemRoot%\system32\drivers\etc directory. However, when we open this file on an affected computer, it doesn’t contain any entries related to “vk.com” and “vkontakte.ru”, as you can see in the following example:


But when we show hidden files, we can see another “hosts” file. It is hidden, as in the following example:

There are two files with exactly the same name, “hosts”, in the etc directory! How can this happen?
As we know, it is not possible for a directory to contain two files with the same name. When we copy the file names to notepad, save them as a Unicode text file and open them with a hex editor we see the following (the upper is for the first “hosts” file, the lower is for the second “hosts” file):

For Unicode (UTF-16), the 0x006F is the same as 0x6F in ASCII, which is the character “o”. But what’s the 0x043E in Unicode? We can find it in Unicode chart table (Range: 0400-04FF). The following is part of this table.

We can see that Unicode 0x043E is a Cyrillic character, and it looks very much like the English character “o”.
So the hidden “hosts” file is the real hosts file in fact. When we open this file, we can see that two entries have been added to the end of the file:

Mystery solved!

This is not the first time we’ve seen a hacker using Unicode characters to mislead people. In Aug 2010, a Chinese hacker disclosed a trick with a Unicode control character used to mislead people into running an executable file. Hackers use Unicode control characters 0x202E (RLO) to reverse parts of a special file name, which changes the look of the file name in Windows Explorer.

For example, there is a file named as “picgpj.exe”, as the following:

The “gpj.exe” part of this name is specially crafted. When inserting an RLO character before “gpj.exe” in this name, the whole name appears as the following:

Hackers also usually use a picture as the file icon. Unwary people treat this file as a picture, and blindly double-click to open it, thus running the executable. Obviously, this type of trick is useless for Unicode aware programs, but it is not easy for the eyes of people to identify the problem.

Can we believe our eyes? The answer is... not always.

Zhitao Zhou

Source: http://blogs.technet.com/b/mmpc/archive/2011/08/10/can-we-believe-our-eyes.aspx

Friday, September 14, 2012

Middle East's Latest Malware Malady Does It Old-School

Following on the tails of Stuxnet and Flame, the Mahdi malware has begun targeting and infecting computers in the Middle East. It's designed to log keystrokes, capture screenshots, record audio and steal files, but the way it's built and the way it spreads seem to rely on simple and well-known methods. Simpler, however, doesn't always mean ineffective.

Security researchers have discovered yet another piece of malware that appears to be targeting computer systems in the Middle East.

Dubbed "Mahdi," it was discovered about one and a half months after researchers found the Flame malware, which also hit computers in that region.

Working together, researchers from Kaspersky Lab and Seculert found that the Mahdi malware has targeted individuals in Iran, Israel, Afghanistan and other countries.

It relies on simple, well-known attack techniques rather than sophisticated ones.

Far From the Mahdi-ing Crowd

Mahdi "is a Trojan horse which is designed to log keystrokes, capture screenshots, record audio and steal files such as documents from an infected system," Roel Schouwenberg, a senior researcher at Kaspersky Lab, told TechNewsWorld.

It uses social engineering to spread.

Mahdi "seems to launch spear phishing attacks with attachments, where the attack is disguised as a legitimate file, such as a PowerPoint file or an executable," Alex Horan, senior product manager at Core Security, said. "The attackers choose explicit targets and send the malware to them."

Temptation Is a Terrible Thing

The Mahdi Trojan uses two different social engineering schemes, Kaspersky Labs said.
One consists of using attractive images and confusing themes using PowerPoint slide shows that contain embedded Mahdi Trojan downloaders. For example, the "Magic_Machine1123.pps" attachment delivers an embedded executable within a confusing math puzzle. The slides are often delivered within password-protected zip archives.

An "Activated Content" PowerPoint effect enables executable content within these attachments to run automatically. The downloaders then fetch and install backdoor services and related housekeeping data files on the victim's PC, Kaspersky Labs said. PowerPoint does put up a dialog warning users that the custom animation and activated content in the slide may execute a virus, which most people tend to ignore.

The other technique Mahdi uses is to send out executables with misleading filenames using the Right to Left Override Technique, Kaspersky Labs said. These filenames appear as image files with ".jpg," ".pdf" or other extensions. When a filename with a ".jpg" extension is copied to an ANSI file, the name is displayed as "pictu?gpj.scr." When victims click on the file, they unknowingly run the "scr" executable.

"Attackers also still choose to name their files 'something.jpg.exe' and people may mistake this executable for a jpeg image," Schouwenberg said. "I'd like to see the overall issue of double extensions addressed."

Not So Clear on Who and Why

Mahdi disguises the communication between the malware and its command and control server by delivering updates and modules through a legitimate-looking Google webpage, Seculert said. The actual module code is base 64 encoded and hidden within the HTML of the Google-like webpage.

Victims include critical infrastructure companies, financial services and government embassies in Iran, Israel and other countries in the Middle East, Seculert stated. The setup of the operation might indicate it required a large investment and financial backing.

However, it's not yet clear whether or not Mahdi is indeed state sponsored, or who's behind it.

Never Mind the Oracle

The backdoors were apparently coded in Delphi, which is an integrated development environment from Borland originally developed as a rapid application development tool for Windows.

This and the quality of the code "suggests that the attackers were either not experienced or were rushing the project," Kaspersky's Schouwenberg said. "We don't really see high-level programming languages being used by experienced attackers who write backdoors."

Mahdi "seems simpler than Flame and Stuxnet, but being simpler doesn't mean less effective," Core Security's Horan told TechNewsWorld. "From all accounts the malware was effective, which is the goal."
Further, while security experts agree that the Flame malware was bristling with encryption routines, some contend that those routines are outdated and can easily be circumvented by modern antimalware techniques.

Prince of Persia

The authors of the "Mahdi" malware appear to be fluent in the Farsi language and to know the Persian calendar. However, that in itself is meaningless.

"All this tells us is that the attackers know Farsi," Kaspersky's Schouwenberg pointed out.

"If I wanted to cast suspicion somewhere, then using a language like that would be one of the first things I would do," Core Security's Horan said.

Wednesday, September 12, 2012

Android users should not download pirated games

My friend recently downloaded an app on his Samsung Galaxy SII where he could download cracked versions of popular games. I realized malware creators can  target mobile platforms as well as this device segment grows and attracts more users. After a quick google search I found this following article from ESET:

Methods for infecting Android devices are varied but usually involve distributing malware as cracked or pirated copies of popular commercial games. Phones or tablets then get infected when users search forums or alternative market places for popular games like Angry Birds, instant messaging clients, and so forth. The following figure shows the download page for one such trojan being distributed as a game.

 For years, cyber criminals have organized their operations and traded resources through discussion forums and auction sites. One popular item to trade is access to virus infected PCs for cash. These trading schemes are often called pay-per install (PPI) programs. We have recently started an investigation on a new type of pay-per install program, this time threatening Android devices.

We began our investigation by looking at domain names and malicious files related to what appears to be a Russian web forum used by the cyber criminals for marketing and supporting their PPI scheme. The forum started operating at the end of 2011. From the information we could gather, actors who successfully install malicious software on Android devices get paid between 2 and 5 US dollars per installation. This is much higher than the typical price for Windows PCs. As shown in the image below, taken from the front page of this web forum, the administrators of this program have even prepared graphics to attract as many crooks as possible.

Promotion Page for Android Pay Per Install

The software that is installed on Android devices is usually in the Android/TrojanSMS malware family. These malicious programs send SMS messages to premium rate numbers, bringing monetary profit to the malware operators. Our colleagues at Quickheal have blogged about one of these applications.

Login Page

Methods for infecting Android devices are varied but usually involve distributing malware as cracked or pirated copies of popular commercial games. Phones or tablets then get infected when users search forums or alternative market places for popular games like Angry Birds, instant messaging clients, and so forth. The following figure shows the download page for one such trojan being distributed as a game.

Malware Posing as Android Game

o far, we have found thirty different domain names related to this operation. They have been used to distribute hundreds of malicious files. During our analysis, we saw twenty-three unique variants being distributed through more than 300 unique URLs. Most of the malicious samples we analyzed were pre-programmed to send SMSes to the following premium: 6666, 9999, 7375.

Here is a list of domain names which seem to be related to this operation:


The following file hashes are Android/TrojanSMS variants used in this operation:


This discovery, while not ground breaking, illustrates a disturbing trend in malware creation. Malware creators and operators are increasingly targeting mobile platforms as this device segment grows and attracts more users.

To protect your Android tablets and smartphones, you can use ESET Mobile Security for Android

Source: http://blog.eset.com/2012/09/12/dancing-penguins-a-case-of-organized-android-pay-per-install