Security Week 50: crypto-socialization socialization, OpenVPN audit, Linux kernel vulnerability

We only discussed that crypto-fiber players became the malicious topic of the year, not for the attack technologies, but thanks to, let's say, the social aspects of the problem, how the news came, this confirms. Extortionist Popcorn Time is named after promising, but hacked into the software for easy downloading movies from torrents. Lawrence Abrams, the owner of the BleepingComputer site, discovered that the Trojan code was clearly not written, which is why communication with the command center does not always work.

But the main feature of the Trojan is an alternative decryption: the victim is asked to send a link to his friends , according to which, supposedly, the same Trojan is downloaded, and if two recipients install a malicious program, the key will be provided to the sender for free (otherwise they require 1 BTC). Presumably, since the site on the Tor network was unavailable at the time of the malware analysis.

In general, in practice, this particular scheme is unlikely to work. Do not forget that the spread of malicious programs is punishable by the criminal code, regardless of intentions or the need to urgently decrypt working documents. But the attempt is interesting: the distribution of malicious content by the victims themselves often happens, but the victims are usually not aware of this. And then the dilemma is worse than “pay or not pay the ransom.” I'd like to believe that this technology will not receive development.


The ransom demand looks like this. A lot of letters.
')
Funds raised for public audit of OpenVPN
News

Renowned cryptographic specialist Matthew Green will conduct an audit of OpenVPN software. The agreement with Green has been reached by a public VPN service, Private Internet Access, which sponsors the work. It is noteworthy that on November 22, the Open Source Technology Improvement Foundation began raising funds for the same purpose. After more than 30 thousand dollars were collected (mostly donated by other VPN services), Private Internet Access made a demarche and paid for everything from his own pocket.



It is clear that operators of VPN-services are vitally interested in the reliability of their products, as well as in competent PR. It is not clear how this situation will be settled, but if there are two audits in the end, no one will be particularly upset. Green plans to explore the latest version of OpenVPN 2.4, now in the Release Candidate stage, with a release expected in January. The results of the audit will be “at the beginning of the year,” although, judging from the experience of auditing TrueCrypt, the story may drag on. Let me remind you that the TrueCrypt check ended last year: a couple of minor vulnerabilities were discovered, but none of them affect data security.

Vulnerability in Linux kernel closed
News Description and Proof of Concept . A commit that fixes a problem.

A vulnerability that could lead to local privilege escalation was discovered in the af_packet module, and it appeared there a long time ago - in August 2011. However, it was closed 4 days after the researcher had privately reported the problem. The proof of concept shows how to create a race condition, and using the example of Ubuntu 16.04 with kernel 4.4, the launch of a shell with root privileges was demonstrated. In addition to desktop devices on Linux, the problem is also relevant for Android, with a number of limitations. In some cases, an exploit can cause the system to freeze, and in addition it can be used to remotely hack a server, if it was somehow possible to access it with limited rights before.

What else happened:
A serious vulnerability in some Netgear routers is trivially exploited - just click on the prepared link while in the local network. It is temporarily treated by turning off the web interface (which can also be done by clicking on the prepared link).

An interesting study of mining new cryptocurrency Zcash on foreign capacities, without the knowledge of the owner. An interesting method of detection: the miner himself is not a de facto malware. But it is possible to identify potentially infected systems by the rule: “there is a miner who pretends to be another program”.

Antiquities

Azusa Family

Very dangerous viruses. The boot sectors of the floppy disks and the MBR of the hard drive hit. The boot sector is stored in the last sector of the diskette, the original MBR is not saved (they contain a bootloader in their code). The COM and LPT ports periodically “hang up”. Intercept int 13h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 95.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.