Security Week 18: A hole in all systems with Intel Core, Apple took away a certificate from a Trojan, ran the wizard flooded the planet

What the Security Bolsheviks have been talking about for so long has happened. It was almost ten years ago, and now it has become widely known: a vulnerability has been discovered in the Intel Management Engine firmware. In the notification from Intel, versions from 6.0 to 11.6 are indicated, but, for a minute, all versions starting from 2008 are from platforms for first-generation Intel Core processors.

Those who know well what ME can do are already scary. It can read and write to any area of ​​RAM and storage, look at what is happening on the screen, send and receive anything from the network, ignoring the firewall running on the system, and all this, without leaving any traces in the logs. According to rumors, even the ME disk encryption passes without tension. Inhumanly useful thing.

No brainer that integrating a legitimate hardware backdoor into the motherboard, you need to tighten the screws in the security system to the maximum, which Intel did. The iME code, for example, is encrypted with a 2048-bit key. But as usual, something went wrong, and now the progressive public has learned for certain about the ability to remotely seize access to ME control functions. Under the threat of machines that are implemented in technology AMT, ISM and SBT. Well, that is, in general, everything is on Intel chipsets under Intel Core.
')
However, Intel in its notification indicates that there is no vulnerability on conventional consumer systems, and it seems to be similar to the truth - as if there is no AMT, ISM and SBT. But we understand that the consumer product by and large differs from the corporate settings in the firmware. So in this case: as the researchers have already figured out, it is possible to exploit the hole on the consumer chipset, not only remotely, but locally. That is, for example, any malware from user space is quite capable of gaining unlimited power over the system.

People in the subject immediately began to recall that some people hinted at the presence of holes in ME last year. Damien Zammit swore that the security of ME is based on closed code, which is not an insurmountable problem for analysts. And Charlie Demeryan from SemiAccurate in general said that researchers have long been poking these vulnerabilities in Intel. Hearing about this, Threatpost asked Intel a legitimate question - what supposedly it was - but William Moss from Intel did not confess anything. According to him, the company learned about everything only in March, and now in May the patch is ready. What else do you want from Intel, ungrateful ?!

Patch is a good thing. But we understand that in addition to the motherboards produced by Intel itself, there are still a huge number of motherboards from other manufacturers on their chipsets. Intel is not responsible for them - they dropped the patch and forgot it. But whether these same third-party manufacturers will close the hole in their firmware, and when, this is a question. In the meantime, it is proposed to disable remote control technologies in CMOS Setup and remove the corresponding Intel utilities from the system. Well, OK.

Apple revoked the certificate from the Trojan for OS X
News Last week, Check Point caught a new interesting Trojan for Macs - OSX / Dok. He listens to traffic and is able to fully control all communications on an infected machine, including encrypted channels. This is done plainly - a proxy controlled by intruders slips the browser, and all traffic goes through it. The Trojan preliminarily installs its root certificate in the system, so the browser believes the proxy server certificate and it becomes difficult to determine that HTTPS traffic is intercepted.

OSX / Dok is distributed through phishing, letters come to the victims with a zip-file, which is actually an executable file. If a naive Mac user clicks on a file, the Trojan is copied to / User / Shared and shows a message that the archive is damaged, leave me alone. Then it finds it in the AppStore boot menu and gets in its place. After the system reboots, it shows a window with a notification about the system update and requires a password. While the victim does not enter the password - nothing can be done on the computer. And when he enters, Doc gets admin rights.

To create all this disgrace, and to remain undetected, the Trojan is allowed by the legitimate digital signature of the Apple developer, either stolen or obtained especially for dark deeds. In terms of security, he was a real honest Trojan, Apple approved. Well, now Apple has revoked the certificate and, Doc will no longer be able to deceive us.

Most of the malware - extortionists Trojans
News Research Verizon Enterpise annually releases a study on various cyber incidents that the company investigates in a year. Last year they had to deal with 40 thousand incidents, of which 1935 are various hacks. The conclusions are very disturbing: attacks by a different species of ranmsworm increased by 50%, Petya and Misha made a considerable contribution.

Cybermighters began to work thinner. If earlier a typical crypto-fiber with the grace of the 1st Conarmia broke into the machine and encrypted everything that is encrypted (and most often was sent away, since there was nothing valuable on the machine), now it sits quietly and looks for really important data. To do this, they mastered the fileless attack techniques, and even remembered the good old macros for MSWord.

The main security issue Verizon believes is the lack of two-factor authentication. In most cases, hackers have enough brute force and phishing to do whatever they want with the victim.

Antiquities

"Tequila"

Resident non-hazardous "stealth" - "ghost" -virus. Standard affects the EXE-files when they run and the MBR of the hard drive when you run the infected file. The original MBR sector and its continuation remain in the last sectors of the logical drive C :, reducing its (disk) size in the Partition Table.

RAM infects only when booting from an infected MBR. Intercepts int 13h, 1Ch, 21h. Depending on its internal counters, it displays a multi-colored picture resembling a flying plane and the phrase: “Execute: mov ax, FE03 / int 21. Key to go on!” If you perform the recommended action, the text will appear on the screen:

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 107.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.