Security Week 21: BlueDoom protects against WannaCry, crypto-fiber threatens medical equipment, subtitles - new attack vector

The ShadowBrokers charity marathon of plums continues to bear fruit. Following WannaCry, another worm burst into the Net, and was packed with exploits to the eye. One sample wandered to the Croats from the local CERT, and was given the name EternalRocks, the second one was caught by Heimdal Security and was named no less pathetically - BlueDoom. They visited the target car in the same way as Wannary, through port 445.



The new worm is curious about the large number of exploits integrated into it: it uses EternalBlue, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, SMBTouch, and DoublePulsar - all this thanks to the goodness of ShadowBrokers.



Having infected a machine, EternalRocks doesn’t do anything during the day (apparently, in case the launch hits in the sandbox - the authors believe that the researchers will not wait so long until the caught individual twitches), and then knocks on the management server via the Tor network. But nothing particularly harmful, in addition to the exploit pack for further distribution, the server never sent it to it, which rather puzzled researchers.



The author himself revealed the secret by posting a message on the command server stating that there was nothing to be afraid of, his worm is no longer a wizard, but a very useful self-propelled firewall closing port 445 of its victims. At the same time, the author stopped the campaign, disabling the sending of an exploit pack on the server. It seems that he did not like the close attention of researchers. And what was he waiting for? People don’t really like being forced to make them happy.

')

By the way, there were hopeful messages this week that QuarksLab learned how to calculate the encryption key from the prime number used to generate it. In practice, the use of this discovery is not very much. Yes, the key recovery utility sometimes works, but only because CryptReleaseContext on Windows XP does not properly clean the memory. On more modern operating systems, this function plows as it should, and our hero still crashes Windows XP.



Siemens and Bayer are preparing antiWannaCry patches for medical equipment



News It would seem that there is a sensation - patches are always good. However, it turned out to be interesting: it turns out that a lot of medical equipment is running Windows, connected to the Internet and looking to the Internet via SMB. It is convenient, apparently, for maintenance. You never know, throw a new firmware, look at the logs or something. And for the time being, this approach seemed to be safe for vendors. The MRI scanner will not open suspicious attachments in the letter, and will not reach the left sites.



But WannaCry belongs to a half-forgotten breed of malware - it is a network worm that uses a network exploit to spread, and you just have to listen to 445 to get infected. At the same time, no one seemed to have reported that the fashionable Trojan somewhere had disabled medical equipment, but, given the technology of its distribution, it is simply inevitable. Moreover, we know how reluctant and leisurely IoT-vendors release patches. So, if they moved, there was a reason, and the reason was serious.



Meanwhile, data leaks from medical institutions have become the trend of the last year, and this is a rather painful topic. But it was just a leak. Now imagine what could result in a sudden failure of the whole complex of medical equipment in a hospital? Now, in a decent modern medical institution without a special apparatus, even tablets will not be given. In general, the threat of human life is obvious.



Designed attack vector through subtitles



News Research Let's take a break from WannaCry and see what else is going on in the world. Check Point Software revealed a new original vector of attack on users. It would seem, what could be dangerous file with subtitles for the film? This is the text! But no, almost all popular video players and media centers have vulnerabilities that allow launching arbitrary code on the system by slipping properly designed subtitles.



This is another confirmation of the thesis that there are no vulnerabilities where they are not searched for. It was necessary to search - and in one only VLC there were four of them at once. Experts rolled out a small list of leaky applications suitable for this type of attack. Among them: VLC, Kodi, Stremio and Popcorn Time, mentioned and Smart TV. In all cases, the attacker gains complete control over the victim's system.



The most annoying thing is that even those who never watch movies with subtitles are at risk. Many video players automatically search for and download subtitles to the movie being played, it’s also easy to attach a malicious file to the distribution on a torrent. The company does not report technical details due to the scale of the problem - too many vulnerable software, too many users at risk (VLC alone has more than 170 million downloads). However, all the players mentioned in the news have already received patches, so be updated.

Antiquities

"Twin-351"



“Satellite” virus: when you run an .EXE file, it creates a “satellite” file with the name of the executable file and the .COM extension (for example, XCOPY.EXE — XCOPY.COM), and writes its copy to it. When you run any file from the command line, you first look for .COM files, and only then - .EXE. As a result, the .COM file containing the virus will be launched first. The virus, in turn, installs its TSR-copy and runs the .EXE file.



It implements a rather original “stealth” mechanism: it sets the hidden attribute on the satellite file, intercepts int 21h, and processes the FindNext function in such a way that the files that have the hidden attribute are not displayed. As a result, .COM files containing the virus body are not visible either when using the DIR command or when working in Norton Commander.



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 85.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.