Security week 3: a thief from a bitcoin thief stole, your trojan could be here, ten days without computers
News
Recently, the owners of a proxy service for Tor, who have robbed their users and ransomware, have come to the attention of IB researchers. The fact is that this Tor-proxy service was often used by victims of crypto viruses, incapable or not ready to deal with the installation of the Tor browser. It was through this service that they visited the .onion website of the intruders. Some extortionists even indicated in the notes about the purchase a link for a direct call through this proxy service - as they say, everything is for the client. That's just when loading the page address of the purse extortioners quietly changed to an outsider.
The Onion.top operators secretly combed the dark-web pages loaded through their portal, looking for addresses of Bitcoin wallets, and then replaced them. Judging by the fact that for different pages the rules of substitution differ, they were set up manually, for each cryptographer separately. The owners of the service managed to steal at least a little more than 2.2 bitcoins.
The most interesting thing is that this scheme emerged thanks to the announcement of the extortionists themselves, who called on the victims not to use the services of the unreliable Onion.top service. Now offended blackmailers take other measures against this unprecedented deceit: for example, they strongly recommend using the Tor browser exclusively, or breaking the wallet address with tags so that it is more difficult to find it automatically on the page.
News in Russian , details in English
The criminal grouping Zirconium has created a network of 28 fake media agencies in order to completely legally buy space on ordinary advertising sites and show advertising to unsuspecting users, which itself redirects them to fraudulent pages. In 2017, Zirconium ads bought at least a million views from desktop browsers.
')
Zirconium traffic received as a result of the redirect was resold to various unscrupulous individuals for all sorts of frauds (mostly buyers indulged in fake messages about viruses, calls to update any player and other standard tricks for distributing malware and other forms of weaning money from the public). The company itself focused on creating it at the lowest cost and risk. The technology of forced redirection, configured to not always work, but selectively helped to avoid detection for a long time — according to a number of signs, the mechanism calculated possible IB researchers and did not launch a redirect for them.
The group approached the issue of cost reduction creatively: it created its own advertising network and an intricate legal structure of fake companies to help itself and its malicious clients - in general, it organized a whole semi-legal business model. And it went!
All firms existed only on the pages in social networks. They were created in a simple, but win-win pattern: each has its own domains, each has a LinkedIn director's profile with a stock photo at the desktop, and some other blog or Twitter with typical vanilla quotes about support, corporate philosophy and customer orientation ... noob-heads. The researchers found 28 dummy companies, 20 of which had time to prove themselves in the criminal field, and another 8 were waiting in reserve.
The substitute companies Zirconium managed to establish business relations with 16 large media platforms. The money gained by the intruders is credited to firms with Seychelles addresses that are connected with other network crimes. Such is the digital clan Soprano. It is quite possible that this is how the future of malware distribution looks - organized and businesslike.
News
Malicious NotPetya is not a news for a long time, about his attack in June 2017, I didn’t hear anything that was deaf. But even after six months, companies continue to calculate the damage, take stock and share with colleagues and the general public how they survived the crisis. Some organizations lack of attention to their own security cost almost the entire IT infrastructure. Recently, the logistics company Maersk, through which almost 20% of all sea shipping in the world passes, has shared its pain. According to its general director, 4 thousand servers, 25 thousand computers and 2.5 thousand applications had to be restored.
In total, this work took Maersk 10 days. And these 10 days in the company there was no electronic accounting, in general. At the same time, ships continued to enter the ports every 15 minutes, and from each had to unload from 10 to 20 thousand containers. And all the containers needed to be taken, checked, taken into account and they could find a place without the help of computers. You can imagine what kind of smoke the yoke stood in the company at this time! But they did a fine job: productivity dropped by only 1/5. More than a decent result. The only pity is that this heroism is generally needed.
On the other hand, the story of Maersk is an encouraging example: if the Danes were able to do without computers, maybe for the rest of humanity all is not lost. Maybe when our electronic slaves rebel, and we have to cut down the traffic jams, the world will be plunged into chaos for quite a while. And then come to the aid of modest heroes with calculators, barn books and slide rules.
Stone Family
Viruses of the family are very dangerous; they infect the first physical sectors of the disks: the floppy disk boot sector and the MBR of the hard drive. Consist of two parts. The first part contains the body of the virus and is stored in the first physical sector of the disk, the second contains the original sector of the infected disk and occupies one of the rarely used sectors: on the hard drive - the sector between the MBR and the first BOOT sector, and on the floppy disk - one of the sectors allocated under the root directory. For example, the Stone-a virus is recorded in the last sector of the root directory of 360K diskettes.
Early versions of the virus save their second part to disk at fixed addresses: for floppy disk 1/0/3 (head / track / sector), for the hard drive - 0/0/7. In this case, no checks are made, so the virus can destroy some of the information on the disk (on the floppy disk - one of the sectors of the FAT or the root directory, on the hard drive - one of the sectors of the FAT).
Floppy disks are infected when reading from them (int 13h, ah = 2), and the hard drive is loading DOS from an infected floppy disk. Viruses of the family intercept int 13h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Recently, the owners of a proxy service for Tor, who have robbed their users and ransomware, have come to the attention of IB researchers. The fact is that this Tor-proxy service was often used by victims of crypto viruses, incapable or not ready to deal with the installation of the Tor browser. It was through this service that they visited the .onion website of the intruders. Some extortionists even indicated in the notes about the purchase a link for a direct call through this proxy service - as they say, everything is for the client. That's just when loading the page address of the purse extortioners quietly changed to an outsider.The Onion.top operators secretly combed the dark-web pages loaded through their portal, looking for addresses of Bitcoin wallets, and then replaced them. Judging by the fact that for different pages the rules of substitution differ, they were set up manually, for each cryptographer separately. The owners of the service managed to steal at least a little more than 2.2 bitcoins.
The most interesting thing is that this scheme emerged thanks to the announcement of the extortionists themselves, who called on the victims not to use the services of the unreliable Onion.top service. Now offended blackmailers take other measures against this unprecedented deceit: for example, they strongly recommend using the Tor browser exclusively, or breaking the wallet address with tags so that it is more difficult to find it automatically on the page.
There could be your trojan
News in Russian , details in English
The criminal grouping Zirconium has created a network of 28 fake media agencies in order to completely legally buy space on ordinary advertising sites and show advertising to unsuspecting users, which itself redirects them to fraudulent pages. In 2017, Zirconium ads bought at least a million views from desktop browsers.
')
Zirconium traffic received as a result of the redirect was resold to various unscrupulous individuals for all sorts of frauds (mostly buyers indulged in fake messages about viruses, calls to update any player and other standard tricks for distributing malware and other forms of weaning money from the public). The company itself focused on creating it at the lowest cost and risk. The technology of forced redirection, configured to not always work, but selectively helped to avoid detection for a long time — according to a number of signs, the mechanism calculated possible IB researchers and did not launch a redirect for them.
The group approached the issue of cost reduction creatively: it created its own advertising network and an intricate legal structure of fake companies to help itself and its malicious clients - in general, it organized a whole semi-legal business model. And it went!
All firms existed only on the pages in social networks. They were created in a simple, but win-win pattern: each has its own domains, each has a LinkedIn director's profile with a stock photo at the desktop, and some other blog or Twitter with typical vanilla quotes about support, corporate philosophy and customer orientation ... noob-heads. The researchers found 28 dummy companies, 20 of which had time to prove themselves in the criminal field, and another 8 were waiting in reserve.
The substitute companies Zirconium managed to establish business relations with 16 large media platforms. The money gained by the intruders is credited to firms with Seychelles addresses that are connected with other network crimes. Such is the digital clan Soprano. It is quite possible that this is how the future of malware distribution looks - organized and businesslike.
Is there life after NotPetya
News
Malicious NotPetya is not a news for a long time, about his attack in June 2017, I didn’t hear anything that was deaf. But even after six months, companies continue to calculate the damage, take stock and share with colleagues and the general public how they survived the crisis. Some organizations lack of attention to their own security cost almost the entire IT infrastructure. Recently, the logistics company Maersk, through which almost 20% of all sea shipping in the world passes, has shared its pain. According to its general director, 4 thousand servers, 25 thousand computers and 2.5 thousand applications had to be restored.
In total, this work took Maersk 10 days. And these 10 days in the company there was no electronic accounting, in general. At the same time, ships continued to enter the ports every 15 minutes, and from each had to unload from 10 to 20 thousand containers. And all the containers needed to be taken, checked, taken into account and they could find a place without the help of computers. You can imagine what kind of smoke the yoke stood in the company at this time! But they did a fine job: productivity dropped by only 1/5. More than a decent result. The only pity is that this heroism is generally needed.
On the other hand, the story of Maersk is an encouraging example: if the Danes were able to do without computers, maybe for the rest of humanity all is not lost. Maybe when our electronic slaves rebel, and we have to cut down the traffic jams, the world will be plunged into chaos for quite a while. And then come to the aid of modest heroes with calculators, barn books and slide rules.
Antiquities
Stone Family
Viruses of the family are very dangerous; they infect the first physical sectors of the disks: the floppy disk boot sector and the MBR of the hard drive. Consist of two parts. The first part contains the body of the virus and is stored in the first physical sector of the disk, the second contains the original sector of the infected disk and occupies one of the rarely used sectors: on the hard drive - the sector between the MBR and the first BOOT sector, and on the floppy disk - one of the sectors allocated under the root directory. For example, the Stone-a virus is recorded in the last sector of the root directory of 360K diskettes.
Early versions of the virus save their second part to disk at fixed addresses: for floppy disk 1/0/3 (head / track / sector), for the hard drive - 0/0/7. In this case, no checks are made, so the virus can destroy some of the information on the disk (on the floppy disk - one of the sectors of the FAT or the root directory, on the hard drive - one of the sectors of the FAT).
Floppy disks are infected when reading from them (int 13h, ah = 2), and the hard drive is loading DOS from an infected floppy disk. Viruses of the family intercept int 13h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/348572/
All Articles