Security Weekly 17: a Black Hole in the Windows Kernel, Adobe’s Homologation Attack, the Largest Data Leak in the US
Researchers from EnSilo announced that they found a bug in the core of Windows. It may not allow the antivirus program to learn about downloading the executable. Operation of such a hole completely excludes the possibility of checking the file at startup, that is, the Trojan can actually neutralize the protection solution.
- The glitch was found in PsSetLoadImageNotifyRoutine, the notification function that is called when the virtual image is loaded. Without its correct operation, it is difficult to control the launch of PE files, but it is there that the developers of Microsoft left a bug that, under SPECIFIC CONDITIONS, a malicious file can be launched unnoticed by anyone who might be interested in it.
- To exploit this vulnerability, the Trojan must first get on the machine. Comrade Misgav from EnSilo claims that this technique is quite suitable to avoid anti-virus scanning of the file: for example, a cunning disembodied dropper loads a Trojan onto the machine, launches it, and the antivirus gets either a curved path to the file or a path to another file that scans.
Of course, since EnSilo reported this problem to the press, does it mean Microsoft has already released the required update? No matter how it is. In Redmond, the report reacted as follows: once the vulnerability is exploited only on a compromised system, no one will patch the kernel. Somewhere we have already heard of it. By the way, according to Misgav, this bug is not less than ten years old, and its history is still from Windows 2000.
Attack is fixed through the IDN homographs
A tricky title actually means that someone is trying to trick visitors to popular sites by registering domains with a similar spelling. We took adobe.com, replaced with adoḅe.com. And the subscript under ḅ is not visible at all, if the URL is underlined (for example, in the SMS message). On the look like a real site, but inside is not the usual advantageous offer to buy photoshop for some 100500 rubles/month without VAT, and obsessive update Flash Player. Which, of course, is not a player, but a backdoor Beta Bot.
- The Beta Bot pass acts brazenly, disabling the antivirus and blocking access to the websites of antivirus companies. Well, then the attacker, waiting until the computer is left unattended, goes to the car as to his home and does whatever he wants – for example, steals data from various web forms or creates any dirty tricks on behalf of the user.
- Such an attack is not new – at the disposal of criminals, there are many Unicode characters or even a standard ASCII table that look like a Latin keyword, but with slight differences. In browsers, there is protection against homographs, but it does not work if all the characters in the domain name are replaced by foreign characters – the browser simply thinks that this is a domain in the national coding.
Equifax was stolen by 143 million Americans
The credit bureau is a very important institution in the US, where almost everyone lives on credit. Without a full credit history, an American has to tightly: you can not buy a house, or send children to a university. Therefore, the BCH is the very place where information about every American is stored securely and indefinitely. And it stores information not only about how a person gives credit, but also the mass of data used to assess creditworthiness.
- And the largest of these lending enterprises – the Equifax Bureau – was hacked a month ago, and the information was naturally stolen. According to the victim’s confession, this story can come out to about 143 million Americans, as hackers managed to take away social security numbers, driving licenses, birthdates, and addresses. Well, that’s the credit history of the office still saved. Probably. They think so.
However, even without credit data, this is an extremely valuable array in terms of market conditions. To engage in such a machine can be in many ways, most of which will lead to the fact that honest people become poorer, and dishonest – on the contrary. Moreover, the most interesting thing is that on this incident some people have already made a decent profit, and this is the top managers of the Equifax itself. So, Bloomberg found out that the three executives of Equifax, including, what is typical, Fyndir, managed to quickly merge the shares of their home office when they learned about the hack (that is, before the announcement of the fact itself). Then such enterprise to such people threatens – quite clearly, in the USA with it very strictly.