Security Week 19: Windows Defender launches someone else's code, a Trojan was in HandBrake, phishers attacked Gmail users

Spring was generous with holes of an apocalyptic scale, and in the most unexpected places. This time it's not a smartphone, and not a router, but much worse - Microsoft Malware Protection Engine. This component is used by Windows Defender and is enabled by default in Windows 8, 8.1, 10, as well as in Windows Server 2016.

This time, Google has distinguished itself: researchers from Google Project Zero Tavis Ormandi and Natalie Silvanovich found a 'crazy bad' vulnerability. Ormandy hurried to tweet about it, saying that this is the worst vulnerability of remote code execution in Windows lately - and, of course, generated a lot of sensational headers. Developers from Microsoft rushed to close the hole, like sailors to storm the Winter, and three days later the patch was ready. Ormandy, who courageously kept all the details with himself, burst into relief with a bugreport .

What it turned out. Malware Protection Engine (MsMpEng) with its, in general, limitless possibilities, was available remotely through several different Windows services, in particular, Exchange and IIS. The bottom line is that MsMpEng rightfully controls all actions related to the file system, and if a service tries to write something similar to JavaScript to disk, the threat level with heuristic methods is determined by the NScript component, which is a surprise! - does not run in a sandbox and with a high level of rights. And, of course, in this component, there was an evil bug that allows the cunning script to force NScript to execute arbitrary code.

The most fun, of course, is the attack scripts. It turned out that it is enough to receive a letter (and you don’t even need to open it!), Click on the link, or, for example, get the file through some instant messenger, so that the malicious code can be executed on the computer. It is as if the censor, stripping out his duty as anti-government sedition from a newspaper, after reading, believed in revolutionary ideas and joined the ranks of the Carbonari. Such is the unexpected heuristics.
')
Then it would be possible to scare, but no longer want. And so it is clear that this is bad. The update from Microsoft, in theory, should already spread over all systems connected to the Internet, administrators who have fenced their networks with firewalls should take care of themselves. Fortunately, there are enough security solutions on the market.

HandBrake was infected with Mac malware

News If you never, ever download programs from suspicious places, always check websites for authenticity and log in strictly on https, and finally, you are a Mac user - you are reliably protected from malware, no other precautions are needed.

That's all wrong! The guys from the dark side are not done with a finger, and they earn their living by this craft, so they will always find a way to ruin the life of an innocent user. Yes, you only look at the incident with the HandBrake open source video encoder! If you downloaded its Mac OS X version from the manufacturer’s site somewhere between May 2 and 6, and installed it without any chance, you infected your Mac with these very hands. But not 100%, the mirror turned out to be compromised, not the main file hosting.

Inside the distribution was RAT, a Proton Trojan that tracks all activity in the victim’s system, including keystrokes, file downloads, and screen status. Proton, by the way, like the recent OSX / Dok, turned out to be signed by the real signature of the Apple developer.
How clever hackers cracked the file mirror of HandBrake - not reported, but in general this is not the focus, there are a lot of ways, starting with the banal phishing attack on the admin. The main thing is that this can happen again with almost any site, no matter how authoritative the owner is.

If you hit the number of those who downloaded the transcoder on specified days, participants of the HandBrake project advise checking the checksums of the SHA1 and SHA256 distribution file before launch, if you have already installed it, take a look at the activity_agent process - if it is in the system, then this is IT. Demolish, treat, change passwords.

Millions of Google Docs users have experienced a phishing attack

News Earlier this week, a massive phishing attack swept Google’s users. It was organized very simply: letters were sent to the victims, which stated that someone, and in many cases this person from the victim’s contact list, wanted to share documents in the Google Account to the recipient. If a curious recipient clicked on the 'Open in Docs' button, the Google OAUTH authorization service page opened. The real, without cheating.

Here only this service serves to issue access to external services to your Google account. The login and password, of course, is not given to the outside - if the user allows access, an authorization token is transmitted to the external service that is valid to perform certain actions on behalf of the user. In this case, the external service was called 'Google Docs', and he demanded rights to manage contacts, read and send emails, and manage email.

There are no complaints to OAUTH here - the service wrote in big letters what people want from Google Docs. But who reads such warnings? While thinking about why the Google service asks for access to Gmail, it would not hurt.

In any case, the attack, according to Google, was stopped within an hour, during which malicious spam managed to get a measly 0.1% of Gmail users. However, Google itself declares a billion active users, so it turns out that a million of them could potentially become victims of an attack. How many people click without reading, we will not know - but there are definitely a lot of such.

Antiquities

"VFSI"

Nonresident dangerous virus. Typically infects .COM files when an infected file is run. Depending on the current time, it can decipher and display the phrase: “HELLO !!! HAPPY DAY and success from virus 1.1VFSI-Svistov ”.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 93.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.