SecurityWeek 2: army of clones, Google hunts for ghosts, Blizzard patches
News
The fate of Exobot, with which attackers have been extracting user bank card data since 2013, has been more interesting than most similar Trojans - but it’s very problematic for security experts. The authors of the bot willingly rented it out for any period, and the service turned out to be so successful commercially that even the second version appeared, revised from scratch. Tellingly, customers could optionally modify the trojan using the control panel, choosing the functions they need. Almost factory clones with specifications for every taste.
And last December, the organizers of this cloning center publicly announced that they were going to sell the source code to a limited circle of customers. Allegedly, they have already cut down with Exobot enough and go out of business. The statement does not sound very logical, but it may be partly true: if they managed to make a big profit, now the production and own freedom outweigh the possible benefits. But most likely, the operators of Exobot tried in this way to disguise the desire to go into the shadows and hide from close attention. Anyway, after the very first sales, the troubles did not keep them waiting: the malware went into series.
Less than a month later, new large-scale campaigns were launched using Exobot in Austria, England, the Netherlands and Turkey - obviously, happy owners were quick to use their “clones” for their intended purpose. Turkish users were hardest hit: at the expense of particularly successful drop-outs on Google Play, only one Turkish botnet brought the infected devices to almost 4.5 thousand.
It can be expected that in the near future one of the new owners will merge the malware code into free access. This has happened to banker Trojans many times. This means that the newly published code will try to use all and sundry, including rude and ineptly. Apparently, soon we will be able to admire the collection of Exobot variations of varying degrees of glitchiness.
')
News
Google continues to heroically clean up its store from threats of various kinds: 53 more malicious applications have recently been removed from there. They included a malware that showed unauthorized advertising in order to earn their creators a denyuzhku due to clicks, and stole Facebook passwords from users for a snack. Nickname its creators took themselves quite loud - GhostTeam. At least, such a phrase was found in the malware code.
To download, the malware used a mainstream technique with a Trojan-dropper and fake security notifications to install an additional application with admin privileges. But then the interesting began. True, this interesting feature does not apply to the main advertising function - it was also implemented in the most usual way. But the extraction of usernames and passwords was made elegantly. As a rule, this kind of malware demonstrates on top of a social network application a fake screen with fields for login. But GhostTeam acted differently: intercepted when a user logged into Facebook, and opened this web page to enter credentials, but not through a browser, but through a component in the operating system for browsing web pages, such as WebView or WebChromeClient. Of course, with certain modifications, which at the same time loaded with the page malicious Java scripts, which stole credentials.
Since the operation is performed on the real Facebook page by real Android components, most of the security software doesn’t detect anything criminal.
Most of the applications that have been downloaded from GhostTeam have already been removed from Google Play. Most of them are flashlights, QR-code scanners, cleaning utilities and the like. Statistics have shown that the most malicious downloads were made by Indian users, although the malware is most likely from sunny Vietnam.
News in Russian , details in English
As the security researchers found out in December, there was a vulnerability in the update agent for all Blizzard toys, which, with due ingenuity, allowed to give him orders to download and install libraries, data files, etc. Given that Blizzard has 500 million users and It is impossible to install updates of toys, in which case it could flare up. Fortunately, the breach was found by security experts, not by cybercriminals: at the very least, there is no information at the moment that anyone has actually used it.
The agent was vulnerable to DNS Rebinding attacks due to the imperfection of the authentication mechanism: roughly speaking, a malicious server could pretend to be a bridge between the client and the update server. In general, Blizzard engineers quickly figured out the problem and rolled out an effective solution, and also assured everyone that users do not need to do anything, the update of their agents will be installed automatically.
Yale
Very dangerous virus. It infects disks only during a “warm” reboot, writing itself to the Voot-sector of disk A :. The original boot-sector is stored in sector 0/39/8 (side / track / sector). It does not make any checks. Intercepts int 9 and int 13h.3.4
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
The fate of Exobot, with which attackers have been extracting user bank card data since 2013, has been more interesting than most similar Trojans - but it’s very problematic for security experts. The authors of the bot willingly rented it out for any period, and the service turned out to be so successful commercially that even the second version appeared, revised from scratch. Tellingly, customers could optionally modify the trojan using the control panel, choosing the functions they need. Almost factory clones with specifications for every taste.And last December, the organizers of this cloning center publicly announced that they were going to sell the source code to a limited circle of customers. Allegedly, they have already cut down with Exobot enough and go out of business. The statement does not sound very logical, but it may be partly true: if they managed to make a big profit, now the production and own freedom outweigh the possible benefits. But most likely, the operators of Exobot tried in this way to disguise the desire to go into the shadows and hide from close attention. Anyway, after the very first sales, the troubles did not keep them waiting: the malware went into series.
Less than a month later, new large-scale campaigns were launched using Exobot in Austria, England, the Netherlands and Turkey - obviously, happy owners were quick to use their “clones” for their intended purpose. Turkish users were hardest hit: at the expense of particularly successful drop-outs on Google Play, only one Turkish botnet brought the infected devices to almost 4.5 thousand.
It can be expected that in the near future one of the new owners will merge the malware code into free access. This has happened to banker Trojans many times. This means that the newly published code will try to use all and sundry, including rude and ineptly. Apparently, soon we will be able to admire the collection of Exobot variations of varying degrees of glitchiness.
')
Who are you gonna call? Ghostbusters!
News
Google continues to heroically clean up its store from threats of various kinds: 53 more malicious applications have recently been removed from there. They included a malware that showed unauthorized advertising in order to earn their creators a denyuzhku due to clicks, and stole Facebook passwords from users for a snack. Nickname its creators took themselves quite loud - GhostTeam. At least, such a phrase was found in the malware code.
To download, the malware used a mainstream technique with a Trojan-dropper and fake security notifications to install an additional application with admin privileges. But then the interesting began. True, this interesting feature does not apply to the main advertising function - it was also implemented in the most usual way. But the extraction of usernames and passwords was made elegantly. As a rule, this kind of malware demonstrates on top of a social network application a fake screen with fields for login. But GhostTeam acted differently: intercepted when a user logged into Facebook, and opened this web page to enter credentials, but not through a browser, but through a component in the operating system for browsing web pages, such as WebView or WebChromeClient. Of course, with certain modifications, which at the same time loaded with the page malicious Java scripts, which stole credentials.
Since the operation is performed on the real Facebook page by real Android components, most of the security software doesn’t detect anything criminal.
Most of the applications that have been downloaded from GhostTeam have already been removed from Google Play. Most of them are flashlights, QR-code scanners, cleaning utilities and the like. Statistics have shown that the most malicious downloads were made by Indian users, although the malware is most likely from sunny Vietnam.
DNS cosplay
News in Russian , details in English
As the security researchers found out in December, there was a vulnerability in the update agent for all Blizzard toys, which, with due ingenuity, allowed to give him orders to download and install libraries, data files, etc. Given that Blizzard has 500 million users and It is impossible to install updates of toys, in which case it could flare up. Fortunately, the breach was found by security experts, not by cybercriminals: at the very least, there is no information at the moment that anyone has actually used it.
The agent was vulnerable to DNS Rebinding attacks due to the imperfection of the authentication mechanism: roughly speaking, a malicious server could pretend to be a bridge between the client and the update server. In general, Blizzard engineers quickly figured out the problem and rolled out an effective solution, and also assured everyone that users do not need to do anything, the update of their agents will be installed automatically.
Antiquities
Yale
Very dangerous virus. It infects disks only during a “warm” reboot, writing itself to the Voot-sector of disk A :. The original boot-sector is stored in sector 0/39/8 (side / track / sector). It does not make any checks. Intercepts int 9 and int 13h.3.4
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/348024/
All Articles