Security Week 36: a black hole in the Windows kernel, Adobe homograph attacks, the largest data leak in the US

Researchers from EnSilo announced that they found a bug in the core of Winda, but what a bug! It may not allow the antivirus to learn about the download of the executable file. The operation of such a hole completely excludes the possibility of checking the file at startup, that is, the Trojan can actually neutralize the protective solution.

The glitch was found in PsSetLoadImageNotifyRoutine, a notification function that is called when the virtual image is loaded. Without its correct operation, it is difficult to control the launching of PE files, but it was there that the Microsoft developers left a bug, because of which, under certain conditions, the malicious file can be run invisibly for anyone who might be interested.

To exploit this vulnerability, the Trojan must first somehow get on the machine. Comrade Misgav from EnSilo claims that this technique is quite suitable to avoid antivirus scanning of a file: suppose a sly disembodied dropper loads a Trojan onto a machine, launches it, and the antivirus gets either a curved path to the file, or the path to another file that it scans.

Of course, since EnSilo reported such a problem to the press, does Microsoft already release the necessary update? As if not so. Redmond responded to the report as follows: once the vulnerability is exploited only on an already compromised system, no one will patch the kernel. Somewhere we have heard of this . By the way, according to Misgava, this bug is not less than ten years old, and it also leads its history from Windows 2000.
')
Attack via homographs IDN fixed

News A tricky headline actually means that someone is trying to deceive visitors to popular sites by registering domains with similar spelling. They took adobe.com, replaced with adoḅe.com. Moreover, the subscript under ḅ is not visible at all if the URL is underlined (for example, in an SMS message). It looks like an ooooochen on a real site, but inside there is not the usual lucrative offer to buy photoshop for some 100,500 rubles / month without VAT, but an obsessive update of Flash Player. Which, of course, is not a player, but the backdoor Beta Bot.

Rogue Beta Bot acts arrogantly, disabling the antivirus and blocking access to the websites of antivirus companies. Well, then the attacker, waiting for the computer to be left unattended, comes to the machine as if he is at home and does whatever he wants - for example, steals data from various web forms or creates any dirty tricks on behalf of the user.
Such an attack is not new - there are a lot of Unicode characters or even the standard ASCII table at the disposal of criminals, which look like Latin characters, but with some differences. In browsers there is protection from homographs, but it does not work if all characters in the domain name are replaced with foreign characters - the browser simply believes that this is a domain in the national encoding.

143 million Americans stole data from Equifax

News The credit bureau is a very important institution in the United States, where about everyone lives on credit. Without a complete credit history, an American has a hard time: neither can you buy a house, nor can you send children to a university. Therefore, the CII is the very place where information about every American is stored securely and indefinitely. And there is stored information not only about how a person gives a loan, but also a lot of data used to assess the creditworthiness.

And the largest of these credit-forming enterprises - Equifax bureau - was hacked a month ago, and the information was naturally stolen. According to the victim, this story can go sideways to approximately 143 million Americans, since hackers managed to divert social security numbers, driver's licenses, dates of birth and addresses. Well, that is, the office has nevertheless saved the credit histories. Probably. They think so.

However, even without credit data, this is an extremely valuable array in terms of market conditions. It is possible to engage such a colossus in many ways, most of which will lead to the fact that honest people will become poorer, and dishonest people - on the contrary. Moreover, the most interesting thing is that some people have already made a lot of money on this incident, and this is the top managers of Equifax itself. So, Bloomberg found out that the three Equifax executives, including, characteristically, Findira, managed to quickly merge the shares of their home office when they learned about the burglary (that is, before the announcement of the fact). What threatens such enterprise with these people is quite understandable, in the USA this is very strict.

Antiquities

"MusicBug"

A harmless virus, using the “Brain” method, infects the boot sector of a hard drive and floppy disks. Contains the text "MusicBug Made in Taiwan". When accessing discs loses several tunes. Intercepts int 13h.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 102.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.