Security Week 31: WannaCry fighter arrested in the US, Svpeng got a new chip, Cisco patch 15 holes

What do we know about Marcus Hutchins? Surprisingly little. Before the story with WannaCry, nothing was heard about him at all, but then he was glorified by the brilliant move with the stop domain. The guy rummaged in the Trojan's code, found a self-destruct mechanism when receiving a response from the hard-coded domain, registered the domain (costs were $ 10) and managed to significantly slow down Vonnakraya's epidemic.

He lives in the UK, works in a certain company Malwaretech. Well, or he himself is Malwaretech. Judging by his site, Markus since 2013 reverse the malicious code and publishes good research. Recently launched a public botnet tracker where you can see the activity of the most famous botnets. In general, the impression is made of a young, promising "white hat".

Young talent came to Las Vegas - Black Hat and Defcon conferences are taking place there. And it turned out that the guy was waiting in the district court of eastern Wisconsin , and with quite serious accusations on his hands. The indictment contains six points imputed to Marcus. All of them boil down to the fact that Markus Hutchins, for a couple with an unnamed person, is responsible for the creation and distribution of the Kronos banking Trojan.

Kronos was noticed on the darknet in 2014, when its authors opened the pre-order for $ 7,000. The price, apparently, turned out to be too high, since after the release it was started selling for $ 3000, and in 2015 it was selling for $ 2000. On Youtube, by the way, there is a video advertising Kronos, allegedly filmed by accomplice Hutchins.
')
Like other banker Trojans, Kronos trades web injects into Internet banking pages. The victim enters his online banking system in order to see his balance, or pay for something, and a couple of additional fields are placed on her login page — for example, the answer to a secret question and the PIN code from the card. This is in addition to the login and password that Kronos intercepts with the help of keylogger.

In Kronos, there is a curious trick - username-rootkit. It is used to hide the fact of infection, but you cannot hide from the modern antivirus. Therefore, according to the findings of colleagues from IBM, Kronos needs this to protect against other bankers that remove detected competitors from the car.

It turns out, if you believe the American law enforcement officers, it was this that Hutchins earned his living, at least in 2014-2015. As far as the charges are fair, the court will decide, but on the whole this story is quite plausible. Not all “white hats” and their “black” counterparts adhere to their side in principle, some, like “werewolves in shoulder straps”, are trying to achieve success both there and there. At the same time, only one of these parties ensures quiet sleep at night and free movement around the world.

Svpeng got a keyloger

News Research One of the aksakals among mobile bankers, Svpeng, received a new feature. Not to say that the keylogger was something new for Trojans, but Svpeng has never been so indulgent, and in Android bankers it is not considered necessary to intercept keyboard input. To intercept the login, password and SMS code, it is enough to draw a phishing interface over the interface of the banking application. But the authors of Svpeng, apparently decided to expand the scope of its application - now he is a little spying in other applications.

Interestingly, the so-called Android special features are used to intercept keyboard input - features that facilitate the work with a smartphone for people with disabilities. At the same time, Svpeng refuses to work if a Russian is found in the list of keyboard layouts. Roman Unuchek, who we ate a dog on android Malvari, claims that this is a common tactic for Russian cybercriminals to avoid criminal prosecution. They say that if their child does nothing bad in Russia, then there is no crime either.

In addition to data theft, the special features of the OS help the Trojan to acquire device administrator rights, do not allow them to be taken away (you uncheck it, and it appears again). Also, Svpeng does not allow to grant administrator rights to other applications - that is, if the victim has recollected herself late and decided to install an antivirus after infection, this will not help her much.

This rubbish spreads through infected sites under the guise of a fake flash player and works up to the latest version of Android inclusive. Better not to put, even if the site will promise you sooo hot flash-video.

Cisco has released patches for 15 vulnerabilities.

News Cisco is one of the vendors who are actively involved in the security of their own and a few other products. This in itself is commendable and useful for the industry, but in the case of this remarkable company, the popularity of its decisions plays a cruel joke with it. Once Tsisk is at all, everyone is interested in breaking it.

This time, the company paid more than a dozen products at a time. Two of the closed vulnerabilities can cause serious pain in the admin. DOS-vulnerability to VDS (a piece of hardware that supports virtual infrastructure for video broadcasting) allows, as you might guess, to bring down this very VDS by sending a lot of traffic to it. The tactics are clear, nothing clever, but in general the device should not reload in such conditions. After the patch and will not, if you believe Cisco.

The second car suffered ISE, the access control system to the corporate network. It's about just getting the rights of superadmin free then. The essence of the problem is that the system incorrectly processes external requests for authorization and confuses policies for external and internal users. An attacker can break into the network from the outside with the name of an external user that matches the name of the internal user and get his access rights.

Another, difficult to exploit, but potentially tasty bug, allows you to change some parameters in the local connection state database (LSA) of the Cisco router. An attacker sends specially designed OSPF LSA type 1 packets, thus changing the routing table, and potentially intercepting or fading traffic over some connections. It all works for devices with OSPF protocol support and does not work with the FSPF protocol.

Antiquities

"Softpanorama"

Very dangerous resident virus. Standard affects COM and EXE files when accessing them. EXE files are translated to a COM format (see “VACSINA” virus). It appears as follows: erases sectors with random numbers, calls int 5 (screen print). It contains text strings: “comexe”, “Enola Gay is now flying to SoftPanorama!”, “Command”. Intercepts int 8, 21h

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 83.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.