SecurityWeek 50: hacktivist tired and fly-fly, fake crypto-neck for panda lovers, two-faced Janus for Android
News in Russian , details in English
The professional burnout that befell the hacktivist, nicknamed The Doctor (aka The Janit0r), made him abandon his BrickBot botnet and go on indefinite leave. The reason is simple: starting a crusade against holes in IoT in 2016, the apologist of the philosophy of “wedge knock out” hoped to make manufacturers and users of “smart” devices take the vulnerabilities of the Internet of things more seriously. But no matter how hard he tried, nothing came of it.
BrickerBot, created by him, scanned the Internet in search of vulnerable devices, and then rewrote their flash memory, filling it with useless information, sometimes also crating the firmware. According to Janit0r himself, since November 2016, tens of millions of devices have fallen under the distribution, and some of them have become completely unusable. Well, at least after that, the spoiled cameras and phones really turned out to be useless for botnets like Mirai and its clones.
Alas, time has shown to the self-proclaimed security advocate what any school teacher knows: there is no power in the world that is more powerful than human pofigism. The progress in protecting the Internet of things, of course, has begun, but, to the taste of the Cleaner, is too slow. Moreover, since the hacker did manage to partially contain the epidemics of contagious botnets (he called his efforts “chemotherapy”), the collective unconscious of the Internet decided that everything was not so bad in the Danish kingdom.
As a farewell gift, Janit0r laid out the open code of his brainchild - but with some bills. Technical experts noted that it contains at least one zero-day vulnerability that other hackers can exploit.
')
Before leaving, Janit0r once again scolded everyone for carelessness, offered several reasonable security measures and expressed the hope that it would not disappear into the night, stolen by some unscrupulous organization that suffered millions in losses due to its tricks.
News in Russian , more in English
At the weekend, a certain purse for storing cryptocurrency suddenly found itself in the top of the App Store in the category “Finance”. The wallet looked like a mobile application for the site MyEtherWallet.com - a fairly reliable cryptocurrency repository based on Etherium - and democratically cost less than five dollars. That's just on the site about this application have never heard, and the purse developer specified in the description has never dealt with cryptocurrency. Among his projects on the AppStore, only three applications, including two toys about combat pandas. The Internet, of course, loves pandas - almost like cats, but this is hardly a sufficient reason to trust their finances to whom it is not clear. Even if the keys to access the cryptocurrency are actually stored on the device of the owner, as stated in the application description, it is hardly safe to use such a wallet.
It's amazing not even that such a wallet miraculously climbed into the top, but the fact that it basically appeared in the App Store: even ideological opponents of apple products cannot deny that Apple has a better security system than its competitors. It seems that today the cryptocurrency beats both pandas and seals together in popularity, so the moderators missed an application buried under an avalanche of similar handicrafts. The creators of MyEtherWallet immediately contacted Apple and asked to remove the application - most likely a scam. It is still unknown whether someone suffered because of him, but at least 3000 people downloaded it.
News in Russian , more in English
And a couple of words about fakes: this week, Google patched a vulnerability that could theoretically allow an attacker to include malicious code in APK files of respectable applications, while leaving them signed.
The vulnerability is related to the very structure of APK files and the possibility of including DEX files with arbitrary code in them. Thus, a single file can be perceived by the system at the same time as both APK and DEX. And since the signature of the APK file concerns only archived parts, it will remain valid.
This exploit was called two-faced Janus. Like the ancient deity of thresholds, it is capable of causing chaos and destruction on a catastrophic scale: if you replace an update of a completely legitimate program with a high level of access - say, a banking application - with a dual file, over which perpetrators conjured, criminals can acquire the same rights on the user's device, as the application itself. Fortunately, so far no examples of this attack have been found in the wild. Anyway, in the operating systems Android 7.0 and older (with an updated signature scheme), the vulnerability does not work. Cheers, comrades.
Anthrax
Resident, strikes COM and EXE files, MBR hard drive. Files are affected as standard. The MBR is infected when the infected file is started, the continuation of the virus and the MBR sector are saved starting at address 0/0/2 (track / head / sector).
Memory is infected when booting from an infected disk. Then the virus only infects files. Intercepts int 21h, contains the lines: "ANTHRAX", "(c) Damage, Inc".
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
The professional burnout that befell the hacktivist, nicknamed The Doctor (aka The Janit0r), made him abandon his BrickBot botnet and go on indefinite leave. The reason is simple: starting a crusade against holes in IoT in 2016, the apologist of the philosophy of “wedge knock out” hoped to make manufacturers and users of “smart” devices take the vulnerabilities of the Internet of things more seriously. But no matter how hard he tried, nothing came of it.BrickerBot, created by him, scanned the Internet in search of vulnerable devices, and then rewrote their flash memory, filling it with useless information, sometimes also crating the firmware. According to Janit0r himself, since November 2016, tens of millions of devices have fallen under the distribution, and some of them have become completely unusable. Well, at least after that, the spoiled cameras and phones really turned out to be useless for botnets like Mirai and its clones.
Alas, time has shown to the self-proclaimed security advocate what any school teacher knows: there is no power in the world that is more powerful than human pofigism. The progress in protecting the Internet of things, of course, has begun, but, to the taste of the Cleaner, is too slow. Moreover, since the hacker did manage to partially contain the epidemics of contagious botnets (he called his efforts “chemotherapy”), the collective unconscious of the Internet decided that everything was not so bad in the Danish kingdom.
As a farewell gift, Janit0r laid out the open code of his brainchild - but with some bills. Technical experts noted that it contains at least one zero-day vulnerability that other hackers can exploit.
')
Before leaving, Janit0r once again scolded everyone for carelessness, offered several reasonable security measures and expressed the hope that it would not disappear into the night, stolen by some unscrupulous organization that suffered millions in losses due to its tricks.
How not to become Pinocchio
News in Russian , more in English
At the weekend, a certain purse for storing cryptocurrency suddenly found itself in the top of the App Store in the category “Finance”. The wallet looked like a mobile application for the site MyEtherWallet.com - a fairly reliable cryptocurrency repository based on Etherium - and democratically cost less than five dollars. That's just on the site about this application have never heard, and the purse developer specified in the description has never dealt with cryptocurrency. Among his projects on the AppStore, only three applications, including two toys about combat pandas. The Internet, of course, loves pandas - almost like cats, but this is hardly a sufficient reason to trust their finances to whom it is not clear. Even if the keys to access the cryptocurrency are actually stored on the device of the owner, as stated in the application description, it is hardly safe to use such a wallet.
It's amazing not even that such a wallet miraculously climbed into the top, but the fact that it basically appeared in the App Store: even ideological opponents of apple products cannot deny that Apple has a better security system than its competitors. It seems that today the cryptocurrency beats both pandas and seals together in popularity, so the moderators missed an application buried under an avalanche of similar handicrafts. The creators of MyEtherWallet immediately contacted Apple and asked to remove the application - most likely a scam. It is still unknown whether someone suffered because of him, but at least 3000 people downloaded it.
Not a centaur, not a mermaid, but an Android vulnerability
News in Russian , more in English
And a couple of words about fakes: this week, Google patched a vulnerability that could theoretically allow an attacker to include malicious code in APK files of respectable applications, while leaving them signed.
The vulnerability is related to the very structure of APK files and the possibility of including DEX files with arbitrary code in them. Thus, a single file can be perceived by the system at the same time as both APK and DEX. And since the signature of the APK file concerns only archived parts, it will remain valid.
This exploit was called two-faced Janus. Like the ancient deity of thresholds, it is capable of causing chaos and destruction on a catastrophic scale: if you replace an update of a completely legitimate program with a high level of access - say, a banking application - with a dual file, over which perpetrators conjured, criminals can acquire the same rights on the user's device, as the application itself. Fortunately, so far no examples of this attack have been found in the wild. Anyway, in the operating systems Android 7.0 and older (with an updated signature scheme), the vulnerability does not work. Cheers, comrades.
Antiquities
Anthrax
Resident, strikes COM and EXE files, MBR hard drive. Files are affected as standard. The MBR is infected when the infected file is started, the continuation of the virus and the MBR sector are saved starting at address 0/0/2 (track / head / sector).
Memory is infected when booting from an infected disk. Then the virus only infects files. Intercepts int 21h, contains the lines: "ANTHRAX", "(c) Damage, Inc".
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/345094/
All Articles