Security Week 23: EternalBlue ported to Win10, CIA attacks from file servers, marketers quietly infected the whole world

The adventures of EternalBlue continue: now researchers from RiskSense have ported it to Windows 10. At first glance, this is a destructive achievement, however, this is a considerable part of the work of the safe researcher. To protect yourself from a future threat, you first need to create and test this threat, and it is highly desirable to do this before the “black hats”.

Earlier, RiskSense developed the EternalBlue module for Metasploit, which differs from the original in that it is much worse detected by IDS. The DoublePulsar implant was thrown out of it, which is too well studied and doesn’t really know how to hide on a machine by unmasking the attack. Instead, the researchers developed their own shellcode, which is able to load the desired load directly.

The original EternalBlue, like its module for Metasploit, works only on Windows 7 and Windows XP, as well as on Windows Server 2003/2008 R2. In its report, the company analyzes in detail all the chain of bugs used by the exploit, and the document shows that all systems based on the NT kernel are vulnerable to such an attack — however, defense technologies, some of which EternalBlue can bypass, some do not really help out.

A senior analyst at the company, Sean Dillon, said that the heap spray attacks on the Windows kernel are “almost a miracle”, so time consuming to develop them, in the absence of available OS sources. Therefore, it would be easier to develop the same attack for Linux.
')
The researchers also created a version successfully attacking Windows 10 x64 version 1511 (Threshold 2), for which it was necessary to develop a new way to bypass DEP. It is especially noted that the new exploit does not work on other versions of Win10. But the principle of attack is clear, understandable, and its wide applicability. Waiting for the WannaCry wave under Windows 10?

Documentation published on CIA implant for infecting networks

News The American intelligence community is increasingly “pleased” with the global information security community. Whether the NSA is competing with the CIA in a tricky PR campaign, or if both organizations have Snowden’s followers, they are equally ideological, but, nevertheless, more cautious.

Last Thursday, a publication appeared on WikiLeaks about an implant developed at the CIA that turns a Windows file server into a distribution point for malware over a local network. The tool, modestly called Pandemic, replaces files requested by machines from the file server with Trojanized versions. According to the documentation, Pandemic 1.1 can replace up to 20 different files up to 800 MB in size.

The implant is extremely discreet, without directly accessing the file. It installs an operating system driver filter that allows on-the-fly modification of drive I / O. Actually, similarly, there are antiviruses that analyze files at startup and systems for transparent file encryption.

Obviously, the infection of the client machine occurs if the file from the server is launched, that is, the executable files are dangerous in the first place. However, it is impossible to exclude the use of Pandemic with exploits, for example, for Microsoft Office - in this case, the infection will spread through the documents.


Chinese malware has infected 250 million computers worldwide

News Research Beijing-based marketing agency Rafotech has demonstrated a brilliant example of merciless Chinese marketing. Not by itself - he was helped by the guys from CheckPoint, who revealed the non-sickly Fireball campaign. Modern marketing can not be without big dates - the client needs to know better than his mother. Therefore, a bigdat needs to be collected as quickly as possible and more.

Rafotech invented to collect it using a Trojan. The Fireball malware infects the victim's computer with very simple methods - it is installed by more or less legitimate programs (called crapware) by Rafotech itself and its colleagues, and you can also get it in spam. It would seem that not the most powerful distribution channels, however, according to CheckPoint, the Trojan infected more than 250 million computers around the world.

First of all, Fireball replaces the search engine installed in the browser with a fake one, which redirects requests to Yahoo or Google, but at the same time diligently collects information for its owners. In addition, Fireball is able to do everything that an honest Chinese marketer may need: run arbitrary code, download and install any software from the Internet, manipulate the user's web traffic in order to generate ad views. Technically, Fireball is as advanced as the more famous botnets - it is perfectly able to avoid detection (which proves the scale of the spread), and has a flexible management and control infrastructure.



On its website, Rafotech claims that it "covers more than 300 million users." Well, now we know that this seems to be true. Taki covered. However, it is disturbing that it is not only about individual users - CheckPoint considered that 20% of corporate systems in the world were affected by Fireball. Potentially, this gives martial marketers truly daunting opportunities, and not just advertising.

Antiquities

"Find-1575"

Non-dangerous resident virus. It is recorded in COM and EXE files when they are started and when searching for files in directories (DOS functions FindFirst and FindNext FCB). Under some conditions, a “green caterpillar” begins to crawl across the screen. Intercepts int 1Ch, 21h

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 67.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.