Security Week 9: Miner eliminates competitors, snapshots for traffic lights and extremely intrusive cameras
News
Mining was perhaps the most frequent news event and the most fashionable entertainment of cybercriminals. However, where popularity is, there is competition: at a pace, several malicious programs from different developers, not to mention the scripts embedded in web pages, will soon work on each computer. And CPU resources are not rubber.
The unknown craftsman thought about this prospect and decided to hedge: in the expanses of the network a trojan miner appeared, which finds and stops competitors.
The program is disguised as a driver for HP printers and is called very convincingly: hpdriver.exe for a 32-bit system or hpw64.exe for a 64-bit one. Once on the computer, it first scans the active processes and compares them with the personal list of enemies: the competing processes are listed in the code by name. Well-known miners Trojans fall under the distribution, as well as some legitimate Windows processes, whose operation is not crucial for the system, and all of them are immediately terminated. Well, then everything is as usual: the computer groans, the program is mine.
')
However, the malware is guided by a built-in list of processes, so its capabilities are very limited. The next step, apparently, will be Trojans with a module of behavioral analysis - these will be able to catch not only well-known, but also new competitors.
News
While in big cities around the world, scientists and inventors are thinking about how to optimize traffic and overcome traffic jams with the help of new technologies, their colleagues have already found a way to keep their usual traffic jams even in the city of the future. And this can be done, for example, through a flaw in the standard configuration of one of the common V2I systems, I-SIG, which allows smart cars to exchange information with the intersection infrastructure, which, in turn, adjusts the traffic light to the traffic intensity. This technology is already used in several US cities, including New York.
You can call a traffic jam using the fact that the result of the system depends on the last car that arrived at the intersection. If a certain vehicle sends her multiple signals, she honestly takes each of them for a new car. Hooligans can take advantage of this simplicity: a malicious smart car parked by a traffic light prepared by hackers can make the intersection skip non-existent cars for a long time.
However, attackers will have to try to take advantage of this vulnerability. Thousands of smart cars will be required to seriously stop traffic on automated streets. So in order to crank up a major sabotage, attackers would have to figure out a way to infect them on an industrial scale. It seems that the current implementation of V2V technology does not allow transmitting the malware from vehicle to vehicle.
News , more
Surveillance cameras are now used almost everywhere, except perhaps public toilets. But if they can scare off ordinary scammers, cybercriminals are more likely to be interested.
Thus, Hanwha SmartCam SNH-V6410PN cameras manufactured by Hanwha Techwin, which are most often used in private apartments and houses or small offices, have recently been a tidbit for hackers. Just think: passwords and serial numbers of devices are not protected from busting, data is sent via normal HTTP, and cameras contact other devices via the cloud, which can be accessed by any simple manipulation by any Jabber account owner.
And what kind of scope for criminal activity: you can just spy on a video surveillance object, you can register users who have not yet registered the camera in the cloud, or you can download malicious firmware onto devices and use them to attack other devices via the local network the configuration file is not encrypted in any way, and replacing it is not a difficult task.
One thing pleases: most of these bugs have already been successfully fixed, and what's left is hastily retarded. So this is, in general, not scary. It becomes terrible when you realize that the company produces not only innocuous home cameras, but also many other devices, including: self-propelled artillery installations and autonomous machine gun turrets. That is, in fact, robots that have firearms and - right! - video camera.
"Astra-1010"
A very dangerous resident virus, encrypted, is written to the .COM and .EXE files of the current directory when the infected file is started and then into the files launched for execution. The algorithm for infecting .EXE files contains a number of errors that can lead to file loss. On the 16th, it monthly encrypts (XOR 55h) the disk partitioning table in the MBR of the hard drive. Traces int 21h. It contains the lines: "© AsTrA, 1992", "(3)".
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Mining was perhaps the most frequent news event and the most fashionable entertainment of cybercriminals. However, where popularity is, there is competition: at a pace, several malicious programs from different developers, not to mention the scripts embedded in web pages, will soon work on each computer. And CPU resources are not rubber.The unknown craftsman thought about this prospect and decided to hedge: in the expanses of the network a trojan miner appeared, which finds and stops competitors.
The program is disguised as a driver for HP printers and is called very convincingly: hpdriver.exe for a 32-bit system or hpw64.exe for a 64-bit one. Once on the computer, it first scans the active processes and compares them with the personal list of enemies: the competing processes are listed in the code by name. Well-known miners Trojans fall under the distribution, as well as some legitimate Windows processes, whose operation is not crucial for the system, and all of them are immediately terminated. Well, then everything is as usual: the computer groans, the program is mine.
')
However, the malware is guided by a built-in list of processes, so its capabilities are very limited. The next step, apparently, will be Trojans with a module of behavioral analysis - these will be able to catch not only well-known, but also new competitors.
Not very smart intersection
News
While in big cities around the world, scientists and inventors are thinking about how to optimize traffic and overcome traffic jams with the help of new technologies, their colleagues have already found a way to keep their usual traffic jams even in the city of the future. And this can be done, for example, through a flaw in the standard configuration of one of the common V2I systems, I-SIG, which allows smart cars to exchange information with the intersection infrastructure, which, in turn, adjusts the traffic light to the traffic intensity. This technology is already used in several US cities, including New York.
You can call a traffic jam using the fact that the result of the system depends on the last car that arrived at the intersection. If a certain vehicle sends her multiple signals, she honestly takes each of them for a new car. Hooligans can take advantage of this simplicity: a malicious smart car parked by a traffic light prepared by hackers can make the intersection skip non-existent cars for a long time.
However, attackers will have to try to take advantage of this vulnerability. Thousands of smart cars will be required to seriously stop traffic on automated streets. So in order to crank up a major sabotage, attackers would have to figure out a way to infect them on an industrial scale. It seems that the current implementation of V2V technology does not allow transmitting the malware from vehicle to vehicle.
Where do surveillance cameras look?
News , more
Surveillance cameras are now used almost everywhere, except perhaps public toilets. But if they can scare off ordinary scammers, cybercriminals are more likely to be interested.
Thus, Hanwha SmartCam SNH-V6410PN cameras manufactured by Hanwha Techwin, which are most often used in private apartments and houses or small offices, have recently been a tidbit for hackers. Just think: passwords and serial numbers of devices are not protected from busting, data is sent via normal HTTP, and cameras contact other devices via the cloud, which can be accessed by any simple manipulation by any Jabber account owner.
And what kind of scope for criminal activity: you can just spy on a video surveillance object, you can register users who have not yet registered the camera in the cloud, or you can download malicious firmware onto devices and use them to attack other devices via the local network the configuration file is not encrypted in any way, and replacing it is not a difficult task.
One thing pleases: most of these bugs have already been successfully fixed, and what's left is hastily retarded. So this is, in general, not scary. It becomes terrible when you realize that the company produces not only innocuous home cameras, but also many other devices, including: self-propelled artillery installations and autonomous machine gun turrets. That is, in fact, robots that have firearms and - right! - video camera.
Antiquities
"Astra-1010"
A very dangerous resident virus, encrypted, is written to the .COM and .EXE files of the current directory when the infected file is started and then into the files launched for execution. The algorithm for infecting .EXE files contains a number of errors that can lead to file loss. On the 16th, it monthly encrypts (XOR 55h) the disk partitioning table in the MBR of the hard drive. Traces int 21h. It contains the lines: "© AsTrA, 1992", "(3)".
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/351712/
All Articles