Security Week 6: “enchanted letter” threatens apple-growers, with the world of Captcha - Monero, mining now in Word
→ News
Most of us use a maximum of two keyboard layouts in everyday life and hardly think about the fact that the applications that we launch every day need to understand and correctly display thousands of characters from hundreds of languages in order to work correctly. And if you forget about at least one sign, the whole program can collapse like the Tower of Babel.
Unfortunately, this story is not a parable, but a story about a very real bug that hung or crashed iOS apps when they tried to reproduce one of the two Unicode characters for the Telugu language. The problem arose on some versions of iOS in applications that use the default font San Francisco, and brought a lot of inconvenience to users who did not expect a dirty trick.
')
Imagine: you go to the social network feed from your favorite iPhone, and there you were liked or someone unfamiliar was added as a friend, with strange characters in the name. Great, you think you are probably a foreigner ... and you don’t have time to think anything further, because you immediately become full of other concerns: the application you are in hangs tight and refuses to work. You drop it and try to download again, but nothing happens - you have to demolish and reinstall. But after reinstalling everything finally worked. You go into your tape - and there again this user. Crash, reboot, reinstall, repeat until all the hair on the head is pulled out ...
In general, it looks like a typical “text bomb” - but in fact, not really. “Text bombs” are usually created by attackers or simply bullies and are a piece of executable code. However, Telugu is not a program, but a normal human language, spoken by almost 80 million people in India and other countries. One of the authors of the Motherboard gives an example: his own Twitter "hanged himself" from the likes of a regular user, who has no hooligan intentions at all. Just to display some characters, the CoreText library accesses an incorrect memory sector. The system perceives this as a serious mistake, panics and collapses the faulty component.
The new "text bomb" makes such popular applications as mail, Twitter, instant messaging, Slack, Instagram and Facebook (and this is not a complete list). Not only iPhones, but also other Apple devices — watches, TVs — were threatened. And if one of the Telugu characters appears in pop-up notifications, then not one of the installed applications is blocked, and SpringBoard is a key part of iOS. Then the device falls into an infinite reboot cycle, and it has to reinstall the entire system. So if, reading this article, you think about whether it’s better to play some familiar Apple fan in this way, you better refrain. Moreover, the bug is already fixed in new beta versions of iOS, tvOS, macOS and watchOS, and in the near future Apple promises to deploy the patch in other systems.
→ News
Ever swear, for about ten minutes trying to enter a captcha from a phone with its small-screen on-screen keyboard? So, the fraudsters have figured out how to weld, or rather, to blame, on your inconvenience.
A new way of mining, aimed at mobile devices Android, the researchers found when they studied a campaign of malicious ads. Checking the different chains of bad advertising, they noticed an interesting pattern: if you click on certain banners from a stationary computer, you get on a fake technical support site. And if you click from the phone, the browser shows a big and scary notification in red on black: they say your device shows suspicious behavior, prove that you are not a robot - enter the captcha. In the meantime, you will not do this, we will mine on your Monero device to compensate for your expenses.
And after all, what is most amusing, offenders almost do not lie, except that some shift the emphasis - mining is not “conducted because of suspicious behavior,” and this behavior itself is. And when a user enters a captcha, mining honestly stops, and the Google start page appears before the user.
But such “openness” is poor consolation, because cryptoinjector in its most obscene form can not only slow down the phone, but also lead to serious battery damage — which experts at Kaspersky Lab experienced in their bitter experience by examining Loapi multi-user malware in December .
However, this particular campaign, which has been going on at least since November 2017, seems to be more harmless. Yes, and hardly collects millions: since the processors of the phones are low-powered, users need to be held for a very long time on the page with the captcha to bring considerable money. Researchers have tested five domains used by fraudsters. They are visited by only 800 thousand users per month, and each spends on the mining page an average of 4 minutes. Of course, in fact, attackers probably have more domains, but according to a preliminary assessment, their earnings hardly exceed several thousand dollars a month.
→ News
Any bug can be turned into a feature when properly served, and any feature with proper imagination becomes a bug - the law of unity and struggle of opposites in action. And given the current popularity of Monero and the Coinhive service, it will not be remembered by the night, any near-browser bug immediately begins to be used for mining. Now it is the turn of Word, in which Microsoft has added the ability to embed an iframe tag to display video from third-party sites. (Here we wanted to joke that the mining through weather widgets is waiting for us soon, but it turned out that someone had already thought of this before.)
So, returning to Word: in the “wild”, while mining cases through documents with an iframe have not been found, it is easier than simple to implement. The thing is that, firstly, Word does not limit in any way from which sites or domains video is downloaded; secondly, the pop-up window in which the video is played, in fact, is an Internet Explorer browser with a cut off interface. This means that it is possible to run scripts in it - including cryptogejing.
However, it is not too profitable to extract cryptocurrency through documents: for this you will have to force the user to watch the video in the document for a very long time. You can, of course, embed video longer or artificially stretch the deadlines with download buttons, but on the whole, it is much more profitable for scammers to remove the intermediate stage and simply start their own streaming service — for example, with porn, so that visitors can stick for a long time.
Microsoft, by the way, does not consider this vulnerability a security risk. It is also logical: the business of manufacturers is to give a useful opportunity, and the business of users is to be prudent. Moreover, the cryptojack script embedded in the video display code is easily detected by the antivirus.
Boot-Exe Family
Resident harmless viruses are written to EXE files and Boot sector of disks. The boot sector of the hard drive is infected when the infected file is started, the boot sectors of floppy disks are infected when reading from the disk. The initial Boot sector is stored on the hard drive at 0/0/11 or 0/0/12 (head / track / sector), on a floppy disk - at 1/0/3. EXE files are affected by a fairly original algorithm: viruses analyze readable information (int 13h) from disk. If in the sector read from the disk there is an EXE file header (the first two bytes are equal to “MZ”, some other conditions are fulfilled), then the virus is recorded in the free space in this header and saves the modified sector to the disk. That is: a) when a file is infected, its length does not increase; b) it is not required to process attributes, file time and critical errors (int 24h).
It does not appear, intercepts int 13h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Most of us use a maximum of two keyboard layouts in everyday life and hardly think about the fact that the applications that we launch every day need to understand and correctly display thousands of characters from hundreds of languages in order to work correctly. And if you forget about at least one sign, the whole program can collapse like the Tower of Babel. Unfortunately, this story is not a parable, but a story about a very real bug that hung or crashed iOS apps when they tried to reproduce one of the two Unicode characters for the Telugu language. The problem arose on some versions of iOS in applications that use the default font San Francisco, and brought a lot of inconvenience to users who did not expect a dirty trick.
')
Imagine: you go to the social network feed from your favorite iPhone, and there you were liked or someone unfamiliar was added as a friend, with strange characters in the name. Great, you think you are probably a foreigner ... and you don’t have time to think anything further, because you immediately become full of other concerns: the application you are in hangs tight and refuses to work. You drop it and try to download again, but nothing happens - you have to demolish and reinstall. But after reinstalling everything finally worked. You go into your tape - and there again this user. Crash, reboot, reinstall, repeat until all the hair on the head is pulled out ...
In general, it looks like a typical “text bomb” - but in fact, not really. “Text bombs” are usually created by attackers or simply bullies and are a piece of executable code. However, Telugu is not a program, but a normal human language, spoken by almost 80 million people in India and other countries. One of the authors of the Motherboard gives an example: his own Twitter "hanged himself" from the likes of a regular user, who has no hooligan intentions at all. Just to display some characters, the CoreText library accesses an incorrect memory sector. The system perceives this as a serious mistake, panics and collapses the faulty component.
The new "text bomb" makes such popular applications as mail, Twitter, instant messaging, Slack, Instagram and Facebook (and this is not a complete list). Not only iPhones, but also other Apple devices — watches, TVs — were threatened. And if one of the Telugu characters appears in pop-up notifications, then not one of the installed applications is blocked, and SpringBoard is a key part of iOS. Then the device falls into an infinite reboot cycle, and it has to reinstall the entire system. So if, reading this article, you think about whether it’s better to play some familiar Apple fan in this way, you better refrain. Moreover, the bug is already fixed in new beta versions of iOS, tvOS, macOS and watchOS, and in the near future Apple promises to deploy the patch in other systems.
On non-robots Monero carry
→ News
Ever swear, for about ten minutes trying to enter a captcha from a phone with its small-screen on-screen keyboard? So, the fraudsters have figured out how to weld, or rather, to blame, on your inconvenience.
A new way of mining, aimed at mobile devices Android, the researchers found when they studied a campaign of malicious ads. Checking the different chains of bad advertising, they noticed an interesting pattern: if you click on certain banners from a stationary computer, you get on a fake technical support site. And if you click from the phone, the browser shows a big and scary notification in red on black: they say your device shows suspicious behavior, prove that you are not a robot - enter the captcha. In the meantime, you will not do this, we will mine on your Monero device to compensate for your expenses.
And after all, what is most amusing, offenders almost do not lie, except that some shift the emphasis - mining is not “conducted because of suspicious behavior,” and this behavior itself is. And when a user enters a captcha, mining honestly stops, and the Google start page appears before the user.
But such “openness” is poor consolation, because cryptoinjector in its most obscene form can not only slow down the phone, but also lead to serious battery damage — which experts at Kaspersky Lab experienced in their bitter experience by examining Loapi multi-user malware in December .
However, this particular campaign, which has been going on at least since November 2017, seems to be more harmless. Yes, and hardly collects millions: since the processors of the phones are low-powered, users need to be held for a very long time on the page with the captcha to bring considerable money. Researchers have tested five domains used by fraudsters. They are visited by only 800 thousand users per month, and each spends on the mining page an average of 4 minutes. Of course, in fact, attackers probably have more domains, but according to a preliminary assessment, their earnings hardly exceed several thousand dollars a month.
Mining through the Word, or experts know a lot about perversions
→ News
Any bug can be turned into a feature when properly served, and any feature with proper imagination becomes a bug - the law of unity and struggle of opposites in action. And given the current popularity of Monero and the Coinhive service, it will not be remembered by the night, any near-browser bug immediately begins to be used for mining. Now it is the turn of Word, in which Microsoft has added the ability to embed an iframe tag to display video from third-party sites. (Here we wanted to joke that the mining through weather widgets is waiting for us soon, but it turned out that someone had already thought of this before.)
So, returning to Word: in the “wild”, while mining cases through documents with an iframe have not been found, it is easier than simple to implement. The thing is that, firstly, Word does not limit in any way from which sites or domains video is downloaded; secondly, the pop-up window in which the video is played, in fact, is an Internet Explorer browser with a cut off interface. This means that it is possible to run scripts in it - including cryptogejing.
However, it is not too profitable to extract cryptocurrency through documents: for this you will have to force the user to watch the video in the document for a very long time. You can, of course, embed video longer or artificially stretch the deadlines with download buttons, but on the whole, it is much more profitable for scammers to remove the intermediate stage and simply start their own streaming service — for example, with porn, so that visitors can stick for a long time.
Microsoft, by the way, does not consider this vulnerability a security risk. It is also logical: the business of manufacturers is to give a useful opportunity, and the business of users is to be prudent. Moreover, the cryptojack script embedded in the video display code is easily detected by the antivirus.
Antiquities
Boot-Exe Family
Resident harmless viruses are written to EXE files and Boot sector of disks. The boot sector of the hard drive is infected when the infected file is started, the boot sectors of floppy disks are infected when reading from the disk. The initial Boot sector is stored on the hard drive at 0/0/11 or 0/0/12 (head / track / sector), on a floppy disk - at 1/0/3. EXE files are affected by a fairly original algorithm: viruses analyze readable information (int 13h) from disk. If in the sector read from the disk there is an EXE file header (the first two bytes are equal to “MZ”, some other conditions are fulfilled), then the virus is recorded in the free space in this header and saves the modified sector to the disk. That is: a) when a file is infected, its length does not increase; b) it is not required to process attributes, file time and critical errors (int 24h).
It does not appear, intercepts int 13h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/350214/
All Articles