Security Week 28: Petya was difficult to open, the Broadcomm chipset bug was closed in Android, Copycat infected 14 million devices

Last year's Petya cryptolker Trojan, of course, can do a lot - it breaks the MBR and encrypts the MFT, but it didn’t work out to become as famous as its epigones. But the whole story of data cloners apparently upset Janus, the author of the firstborn, so much that he took and laid out the private key from him .

However, I published not just “Nate, own!”, But decided to approach the process creatively and play with “white hats”, password-protected the archive and leaving a link to it on your tweet with a hint in the form of a quote from the movie “Golden Eye”. Perhaps, even so they will notice and remember. The author, apparently, is a fan of bondans - hence his nickname, the name of the file with the key (Natalya), and the names of the Trojans Petya and Misha. Faster than everyone, the riddle was solved in Malwarebytes and the contents of the file were posted:

Congratulations!
Here is our secp192k1 privkey:
38dd46801ce61883433048d6d8c6ab8be18654a2695b4723
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the "Personal Code" which is BASE58 encoded.


Anton Ivanov, a researcher from Kaspersky Lab, immediately checked that the key turned out to be correct. Previously, researchers had already broken Petya, which forced Janus to fix an error in the new versions of the Trojan, but now the victims of all the real Singing can freely get their files back.
')
This is not the first case of the publication of a key from a crypto-fiber - for example, something like this happened a year ago with TeslaCrypt . Now Janus just closed his project, at the same time blocking off oxygen to the imitators, earning on a slightly modified Petya. Alas, this charity will not help the victims of exPetr / non-Petya.

Google closed Broadpwn bug in Android

News There is an opinion that it is not easy to pick up an infection on a smartphone - you need to dump a specific fool: agree to download an unknown file like adobe_flash_update_mamoi_klyanus_bez_virusov.apk, allow the installation of untrusted programs and finally install everything yourself. However, there is a direct and obvious threat on mobile axes - RCE-bugs that are regularly found and closed. At this time, a researcher from Exodus Intelligence announced a report on Black HAT USA 2017 about a particularly unpleasant bug CVE-2017-9417 related to Broadcom BCM43xx WiFi chips. They called it Broadpwn, which should indicate a level of danger. And it allows you to run arbitrary code in the context of the kernel, and the attack is carried out remotely. In addition, it is interesting that the demonstrated exploit successfully bypasses DEP and ASLR.

There is no complete list of vulnerable smartphone models, but the author of the exploit states that there is a bug in all Samsung flagships, in many models of LG and HTC, as well as in several iPhones. By the way, nothing is known about the possibility of using Broadpwn for iOS, and Apple is silent about this bug, as you know who. Like Apple.

In addition to Broadpwn, in the latest Google update, patches for 11 more critical holes have hit, including the RCE bug CVE-2017-0540 , which allows you to run code through a specially created file in the context of a privileged process. This “black hole” is present in Android 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1 and 7.1.2. Patches will get the owners of Nexus and Pixel, the rest - how lucky. In general, the same feeling when Google with the next update eliminates several RCE vulnerabilities at once, but you understand that there will never be a patch on your smartphone released a year ago.

Copycat Trojan infects 14 million Android devices

News And again about mobile hygiene. You, for example, sacredly honor the norms of information security on mobile devices, do not go anywhere on your smartphone and install only well-known applications with millions of downloads. And yet such a dirty trick as Copycat, you somehow turned out to be, and shows you tons of advertising pop-ups. This is not a true story, about 14 million Android devices are in this position, 8 million of them are not so easy to remove the Trojan, since it received the rights of the root.

The Trojan is distributed not only by traditional methods, such as malicious landing pages and spam. It is introduced into popular applications and laid out in third-party application stores that are so popular in Asia, - respectively, most of the infections recorded in this region.



After installing and running the application with CopyCat inside, the Trojan pulls out a pack of master exploit keys and tries to get root-rights in the system, then happily injects its library into the Zygote daemon launcher process. Next, it replaces the installation referrer parameter (install_referrer) so as to receive money, which the publisher of the application invests in promotion. He also knows how to substitute the advertisement shown to the user, and is able to install third-party applications, that is, he acts as a guaranteed distribution channel for anything he orders.

Antiquities

"Attention-629"

Dangerous non-resident virus, is recorded in .COM-files of the current directory. Extremely primitive. At the start, the 800th "descendant" of the virus should report: "Attention! I'm a virus, ”but it contains so many errors that it is unlikely to live to such a respectable age.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 60.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.