Security Week 43: Dyn server attack, fake tech support life, Linux vulnerability

The main news of the week was the attack on Dyn's DNS servers last Friday. A powerful DDoS attack began in the morning according to the time of the USA, took place in two stages and for several hours led to problems with access or to the complete inaccessibility of many Dyn client sites ( news ). Among the victims - Twitter, Reddit, Github, Soundcloud, Spotify and others. Virtually all of these sites worked, the DNS servers serving them were unavailable, but on the user’s side the inability to translate the website’s name into an IP address looked the same as if the service had gone offline completely. As usual, the inaccessibility of a large social network led to glitches and the fall of sites that initially had nothing to do with it (for example, the hanging code of Twitter elements prevented The Register from loading).

Later confirmed the assumptions about the source of the attack ( news ) - it was a botnet IoT-devices Mirai, previously noted a massive attack on the blog of Brian Krebs. The Mirai code was laid out in open access, which led to a noticeable increase in the number of attacked devices. There were already a lot of them: 380 thousand, according to the original "owner" of the source code.

The term "hacking" to the affected devices is not entirely applicable: in most cases banal vulnerabilities and hard-wired passwords are exploited. OEM Xiongmai, partly responsible for unsafe device firmware, even launched a revocable campaign in the US, which, however, applies only to a few thousand IP video cameras. For the rest released recommendations and firmware updates. The problem is that hardly all device owners will update devices.

The theme of the vulnerable Internet of things continues to evolve, despite the fact that the IoT era itself has not even really come. I hope that the problem of vulnerable-default devices, which are either difficult or inconvenient to update, will begin to be solved. The Dyn attack will also serve as a rewarding experience for enhancing DDoS protection. It is necessary: ​​according to the Level3 company, that only about 10% of the botnet devices of half a million participated in the DDoS attack.
')
Microsoft warns about fake Security Essentials antivirus with built-in phone fraud

News Post on Microsoft blog.

Experts from Microsoft have raised this week an interesting topic of telephone cyber fraud. Typical for Western countries (as far as I know, in Russia, the scheme is unpopular) the “attack” occurs as follows: they call you allegedly from Microsoft technical support, they report that everything is bad on the computer (it is infected with a virus or something more original) and suggest remotely solving the problem . Further options are possible - both with downloading malware and remotely connecting to your desktop. Or pay for "removing the virus," or for installing fake software.


In this case, everything works a little differently: a fake Microsoft Security Essentials installer is distributed on the network. The expectation that in Windows 8 and 10 this antivirus was replaced with Windows Defender, but someone could remember the old name and "find" the program in the network. After installation, the user is shown a fake blue screen of death with the phone "technical support", the further processing of the victims is transferred to offline. Our colleagues from the states checked - the phone worked on Monday, and there they stated that they were absolutely certified and authorized. Usually one way or another such telephone scammers try to sell something to the user.

As recommendations, Microsoft experts recommend a strange one: to be able to distinguish a real BSOD from a fake one. Not the best advice for the target audience of such scammers. It is easier to block the infection attempts immediately, especially if there are enough reasons: the lack of a certificate and the straightforward attempts to disable the task manager.

Vulnerability in the Linux kernel allows you to get root privileges locally

News Site discovery vulnerability (with the logo!). Red Hat Tracker Vulnerability Information.

Vulnerability "Dirty Cow" or Dirty Cow was named so because it involves the mechanism of Copy-On-Write . The COW is used to optimize resource consumption in the event that different processes request the same data set (for example, on disk). Normally, it would be necessary to create a copy of the data each time, but in the case of COW, a copy is created only when the process tries to change the information. An error in the Linux kernel allows you to create a race condition , which results in writing to the original file, and not to a copy, even if the initiator of the recording does not have rights to it.


Interesting details are on the commit fix page . Linus Torvalds writes that he tried to fix the problem 11 years ago, but then there were some difficulties with systems on the S390 architecture. Perhaps then they did not pay attention to this, since the practical possibility of a “race condition” depends, inter alia, on the system performance, and at that time the attack seemed unrealizable. As a result, the vulnerability has existed in all versions of the Linux kernel since 2007, and at the moment it is not patched everywhere. All anything, but there is evidence of an exploit "in the fields."

What else happened:
Google has created a neural network that has completely independently developed a new encryption algorithm (defending itself from another proto-AI trying to decrypt data). The researchers who created the neural network are not completely sure how exactly the algorithm works. "Not exactly XOR."

Emergency patch for Adobe Flash.

Antiquities

Family "Saratoga"

Family of resident dangerous viruses. Every second or tenth EXE file (depending on the version of the virus) is hit in the standard way when it is executed or loaded into memory. After each successful infection of the file, one of the free clusters of the current disk is declared “bad” (the so-called pseudo - broken cluster).

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 44.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.