Security Week 48: Root Access for Diligence, Miner Consultant and Trial Macro Malware
News in Russian , more in English
If a person stubbornly presses the same button, despite the fact that nothing happens, then he is either an idiot or a tester by vocation. This week, for example, it was thus possible to detect an almost amusing vulnerability in the new MacOS HIgh Sierra 10.13.1 and 10.13.2 Beta: it turned out that if, when you select a user, you can type root in the login line, and then put the cursor in the password field, Without entering anything there, and several times click "Unprotect", the system will put you inside with root-rights. Of course, Apple reacted instantly to such a vulnerability.
This bug was especially dangerous for the machines on which the remote access system was installed. For the rest, it is not so critical, if you do not leave the car unattended or set a screen lock. Also, the bug did not work if disk encryption was enabled on the device, and the gadget was completely turned off. Well, those who have their own root password can not worry about anything at all.
')
(By the way, if you have a device for MacOS HIgh Sierra 10.13.1 and 10.13.2 Beta and you still haven’t set the root password, now is the time. Even with the patch released, this will not hurt. Seriously, install it right now, you can not even read the last paragraph.)
How significant this vulnerability was and whether it is legitimate to compare it with recent keyring problems is a controversial issue. Immediately after the bug was reported via Twitter, Apple published instructions for setting the root password , and just a day later it released an update. The vulnerability, which, according to Apple, appeared due to an error in the verification logic of administrator registration data, received the designation CVE-2017-13872 .
News in Russian , in English is shorter, but with screenshots
Either one of the developers sensed a good moment and decided to pump up Monero himself, or the resources of the popular LiveHelpNow widget were hacked - but in the Java script of this innocent browser applet on the eve of Black Friday, Coinhive cryptiner showed up .
The LiveHelpNow widget is a tool for communication on the website and is used by many online stores, including monsters such as Crucial and Everlast: according to PublicWWW, it has been installed in 1,500 websites. That is, simply asking the seller whether there is “the same dressing gown, but with mother of pearl buttons” in the warehouse, any buyer could secretly work from himself as a getter for cryptocurrency for the left uncle.
Apparently, the calculation was that no one would pay attention to the hectic sales, that his computer would slow down slightly (or not slightly). Moreover, the miner was not loaded on all the machines: either the attacker namudril with the code, or introduced this restriction specifically to make it harder to detect.
This, of course, is not the first time that miners are built into legitimate browser extensions, but the solution is still very ingenious.
News in Russian , more in English
Caught another malware living in Microsoft Office macros. The beauty of this particular instance is that it does not use macros to download the combat load. He is his own "combat load", written entirely in Visual Basic.
Infection occurs in a typical way: the user downloads an infected Word document, opens it and clicks on the “Allow Editing” button, which at the same time allows the execution of macros. The malware is launched, but apparently it doesn’t notice this - to start the subversive activities, it uses the onClose function, which allows activating the “combat load” only after the document is closed. Perhaps this trick unknown creator peeked in the recently prepared Locky , and perhaps reached him with his mind.
Next, qkG, first, disables safe mode in the Word and allows automatic execution of macros, and second, it inserts itself into the normal.dot template, which is used when creating all new documents. Now, if a user creates a Word file and sends it to a corporate email colleague, he is also likely to get qkG on his computer.
And finally, both the original file and all documents created after its opening are encrypted using the XOR function, and a ransom request is added to their text. True, returning files to their original form is quite simple, because the decryption key is I'm QkG @ PTM17! by TNA @ MHT-TT2 - contained in the code of the cryptographer.
Experts who discovered this malware found several versions of it on VirusTotal. All of them are cryptographers in some way, but they have some variety in the feature set: one had the code to encrypt the contents of the clipboard, the other was activated on the calendar, the third one had the decryption function added (though not active). Apparently, an unknown author is still trying to force, playing with possible options.
In general, none of the qkG versions that have been encountered so far is a serious threat. The alarm is caused not so much by the malware itself as by the destructive potential of its distribution method — the technology allows you to disable fuses for running macros in the Windows registry.
TrkSwap
A very dangerous virus that affects the boot sectors of floppy disks when accessing them and during a “warm” reboot. When accessing an infected disk, it changes the contents of the 0th and 39th tracks of the disk. Intercepts int 13h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
If a person stubbornly presses the same button, despite the fact that nothing happens, then he is either an idiot or a tester by vocation. This week, for example, it was thus possible to detect an almost amusing vulnerability in the new MacOS HIgh Sierra 10.13.1 and 10.13.2 Beta: it turned out that if, when you select a user, you can type root in the login line, and then put the cursor in the password field, Without entering anything there, and several times click "Unprotect", the system will put you inside with root-rights. Of course, Apple reacted instantly to such a vulnerability.This bug was especially dangerous for the machines on which the remote access system was installed. For the rest, it is not so critical, if you do not leave the car unattended or set a screen lock. Also, the bug did not work if disk encryption was enabled on the device, and the gadget was completely turned off. Well, those who have their own root password can not worry about anything at all.
')
(By the way, if you have a device for MacOS HIgh Sierra 10.13.1 and 10.13.2 Beta and you still haven’t set the root password, now is the time. Even with the patch released, this will not hurt. Seriously, install it right now, you can not even read the last paragraph.)
How significant this vulnerability was and whether it is legitimate to compare it with recent keyring problems is a controversial issue. Immediately after the bug was reported via Twitter, Apple published instructions for setting the root password , and just a day later it released an update. The vulnerability, which, according to Apple, appeared due to an error in the verification logic of administrator registration data, received the designation CVE-2017-13872 .
CryptoMainer instead of online consultant
News in Russian , in English is shorter, but with screenshots
Either one of the developers sensed a good moment and decided to pump up Monero himself, or the resources of the popular LiveHelpNow widget were hacked - but in the Java script of this innocent browser applet on the eve of Black Friday, Coinhive cryptiner showed up .
The LiveHelpNow widget is a tool for communication on the website and is used by many online stores, including monsters such as Crucial and Everlast: according to PublicWWW, it has been installed in 1,500 websites. That is, simply asking the seller whether there is “the same dressing gown, but with mother of pearl buttons” in the warehouse, any buyer could secretly work from himself as a getter for cryptocurrency for the left uncle.Apparently, the calculation was that no one would pay attention to the hectic sales, that his computer would slow down slightly (or not slightly). Moreover, the miner was not loaded on all the machines: either the attacker namudril with the code, or introduced this restriction specifically to make it harder to detect.
This, of course, is not the first time that miners are built into legitimate browser extensions, but the solution is still very ingenious.
QkG cipher from a single piece of macro
News in Russian , more in English
Caught another malware living in Microsoft Office macros. The beauty of this particular instance is that it does not use macros to download the combat load. He is his own "combat load", written entirely in Visual Basic.
Infection occurs in a typical way: the user downloads an infected Word document, opens it and clicks on the “Allow Editing” button, which at the same time allows the execution of macros. The malware is launched, but apparently it doesn’t notice this - to start the subversive activities, it uses the onClose function, which allows activating the “combat load” only after the document is closed. Perhaps this trick unknown creator peeked in the recently prepared Locky , and perhaps reached him with his mind.
Next, qkG, first, disables safe mode in the Word and allows automatic execution of macros, and second, it inserts itself into the normal.dot template, which is used when creating all new documents. Now, if a user creates a Word file and sends it to a corporate email colleague, he is also likely to get qkG on his computer.
And finally, both the original file and all documents created after its opening are encrypted using the XOR function, and a ransom request is added to their text. True, returning files to their original form is quite simple, because the decryption key is I'm QkG @ PTM17! by TNA @ MHT-TT2 - contained in the code of the cryptographer.
Experts who discovered this malware found several versions of it on VirusTotal. All of them are cryptographers in some way, but they have some variety in the feature set: one had the code to encrypt the contents of the clipboard, the other was activated on the calendar, the third one had the decryption function added (though not active). Apparently, an unknown author is still trying to force, playing with possible options.
In general, none of the qkG versions that have been encountered so far is a serious threat. The alarm is caused not so much by the malware itself as by the destructive potential of its distribution method — the technology allows you to disable fuses for running macros in the Windows registry.
Antiquities
TrkSwap
A very dangerous virus that affects the boot sectors of floppy disks when accessing them and during a “warm” reboot. When accessing an infected disk, it changes the contents of the 0th and 39th tracks of the disk. Intercepts int 13h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/343740/
All Articles