Security Week 4: Bots for GTA fans, malicious addons for Chrome with Yandex technologies
News in Russian , details in English
Recently, a new IoT botnet was discovered, created, apparently, by a big fan of GTA: the command server is located in the domain of fan multiplayer mods for GTA San Andreas. In addition to hosting self-made San Andreas servers, you can order a DDoS attack on the site for a reasonable fee (from $ 20). Nicknamed the new JenX botnet, because of the working binary file with the gentle girlish name Jennifer.
The JenX breeder did not reinvent the wheel, rather, on the contrary, scraped the bottom of the barrel. To recruit new bots, the malware exploits vulnerabilities in Realtek and Huawei routers (the code of the corresponding exploits was laid out by the author of the infamous BrickerBot in free access). In addition, JenX uses code obfuscation through the logical XOR function with the same key as in PureMasuta - the source code of this malware was not freely accessible, but was published on a dark forum with access only by invitations. In addition, reverse engineering also revealed continuity with Mirai.
However, unlike the listed analogs, there is no network scan code and vulnerability exploitation in the JenX battle load. All vulnerable devices are looking for a server, and it also carries out RCE attacks.
On the one hand, this does not allow a botnet to grow exponentially, as most of the others grow. On the other hand, by removing scan functions and exploits from a distributed malware, hackers can make these functions themselves more sophisticated, as well as partially or fully automate them using higher-level languages ​​and a library system. Plus, centralized command servers produce less “noise” than exponential propagation; such a botnet is harder to detect. And if someone still makes a noise (this is how it is now) and the shop will have to be temporarily covered up, then the centralized servers are easier to move and hide.
')
The botnet owners are trying to make money primarily on disgruntled users of multiplayer mods, whose hands itch to order a DDoS attack on the server, where they were offended (for example, banned). At least, such attacks on fan servers have already been noticed, in which players suspect it is JenX. Such are the "gang wars."
But a botnet can be retargeted with equal success to something else, more profitable. The capacity of garbage traffic is offered not so big - only 290 Gb / s. But for a server a small company is more than enough, and for twenty dollars, why not engage in amateur cyberterrorism?
News in Russian , details in English , report by Princeton researchers on the dangers of reproducing sessions
You do not need to be a system analyst to understand: if completely respectable web analytics tools for recording a user's session record absolutely every click that a user makes on the site, and send this data to quite respectable servers for a completely respectable purpose (for example, marketing analysis), in this shining chain, sooner or later, someone not so white and fluffy will start. And legitimate statistics collection tools will be used for evil.
This is exactly what happened with the Yandex.Metrika service, one of the libraries of which the attackers used in malicious add-ons for Google Chrome. The Yandex tool does not save the passwords entered, but, as you know, the light did not come together: you can still get a lot of interesting things by recording the session — for example, all of the user's credit card information. You just have to wait until he enters the website of the online store.
As the researchers found out, add-ons were distributed centrally. The hacker group that did this was named Droidclub, after one of the command servers. It is not known whether the attackers sold the stolen information about the actions of users, but it is unlikely that they were going to just play with users in “I know what you did last summer.” These cybercriminals have a commercial vein for sure - they used the same extensions to show ads, and the earlier addons of the group surreptitiously installed the miners Monero.
In total, IB researchers have found 89 variants of such add-ons, literally for every taste. The names and descriptions of the extensions were generated randomly - and it is surprising that they were downloaded and installed a total of 423 thousand times, despite the fact that the Google team deleted them so quickly that many did not last a day. No, “fresh smell for underwear”, of course, is a good thing, but using a browser add-on as a deodorant is something from a late cyberpunk.
Stone -a, -b, -c, -d
When booting from an infected floppy disk with a probability of 1/8, a message appears on the screen: “Your PC is now Stoned!”. In addition to this, they contain the line: “LEGALISE MARIJUANA!”. The virus “Stone-with” infects the MBR of the hard drive and destroys the partition table (Disk Partition Table), after that the computer can only be loaded from a floppy disk. "Stone-d" October 1 destroys information on the hard drive.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Recently, a new IoT botnet was discovered, created, apparently, by a big fan of GTA: the command server is located in the domain of fan multiplayer mods for GTA San Andreas. In addition to hosting self-made San Andreas servers, you can order a DDoS attack on the site for a reasonable fee (from $ 20). Nicknamed the new JenX botnet, because of the working binary file with the gentle girlish name Jennifer.The JenX breeder did not reinvent the wheel, rather, on the contrary, scraped the bottom of the barrel. To recruit new bots, the malware exploits vulnerabilities in Realtek and Huawei routers (the code of the corresponding exploits was laid out by the author of the infamous BrickerBot in free access). In addition, JenX uses code obfuscation through the logical XOR function with the same key as in PureMasuta - the source code of this malware was not freely accessible, but was published on a dark forum with access only by invitations. In addition, reverse engineering also revealed continuity with Mirai.
However, unlike the listed analogs, there is no network scan code and vulnerability exploitation in the JenX battle load. All vulnerable devices are looking for a server, and it also carries out RCE attacks.
On the one hand, this does not allow a botnet to grow exponentially, as most of the others grow. On the other hand, by removing scan functions and exploits from a distributed malware, hackers can make these functions themselves more sophisticated, as well as partially or fully automate them using higher-level languages ​​and a library system. Plus, centralized command servers produce less “noise” than exponential propagation; such a botnet is harder to detect. And if someone still makes a noise (this is how it is now) and the shop will have to be temporarily covered up, then the centralized servers are easier to move and hide.
')
The botnet owners are trying to make money primarily on disgruntled users of multiplayer mods, whose hands itch to order a DDoS attack on the server, where they were offended (for example, banned). At least, such attacks on fan servers have already been noticed, in which players suspect it is JenX. Such are the "gang wars."
But a botnet can be retargeted with equal success to something else, more profitable. The capacity of garbage traffic is offered not so big - only 290 Gb / s. But for a server a small company is more than enough, and for twenty dollars, why not engage in amateur cyberterrorism?
Shock! Extensions for Chrome follow every step of users ... using Yandex technologies
News in Russian , details in English , report by Princeton researchers on the dangers of reproducing sessions
You do not need to be a system analyst to understand: if completely respectable web analytics tools for recording a user's session record absolutely every click that a user makes on the site, and send this data to quite respectable servers for a completely respectable purpose (for example, marketing analysis), in this shining chain, sooner or later, someone not so white and fluffy will start. And legitimate statistics collection tools will be used for evil.
This is exactly what happened with the Yandex.Metrika service, one of the libraries of which the attackers used in malicious add-ons for Google Chrome. The Yandex tool does not save the passwords entered, but, as you know, the light did not come together: you can still get a lot of interesting things by recording the session — for example, all of the user's credit card information. You just have to wait until he enters the website of the online store.
As the researchers found out, add-ons were distributed centrally. The hacker group that did this was named Droidclub, after one of the command servers. It is not known whether the attackers sold the stolen information about the actions of users, but it is unlikely that they were going to just play with users in “I know what you did last summer.” These cybercriminals have a commercial vein for sure - they used the same extensions to show ads, and the earlier addons of the group surreptitiously installed the miners Monero.
In total, IB researchers have found 89 variants of such add-ons, literally for every taste. The names and descriptions of the extensions were generated randomly - and it is surprising that they were downloaded and installed a total of 423 thousand times, despite the fact that the Google team deleted them so quickly that many did not last a day. No, “fresh smell for underwear”, of course, is a good thing, but using a browser add-on as a deodorant is something from a late cyberpunk.
Antiquities
Stone -a, -b, -c, -d
When booting from an infected floppy disk with a probability of 1/8, a message appears on the screen: “Your PC is now Stoned!”. In addition to this, they contain the line: “LEGALISE MARIJUANA!”. The virus “Stone-with” infects the MBR of the hard drive and destroys the partition table (Disk Partition Table), after that the computer can only be loaded from a floppy disk. "Stone-d" October 1 destroys information on the hard drive.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/349234/
All Articles