Security Weekly 28: Root-Access For Diligence, The Consultant’s Miner, And The Malicious Macro Virus
If a person stubbornly presses the same button, despite the fact that nothing happens, then he is either an idiot or a tester by vocation. This week, for example, it was thus possible to detect an almost amusing vulnerability in the new MacOS HIgh Sierra 10.13.1 and 10.13.2 Beta: it turned out that if you chose to type root in the login line and then put the cursor in the password field, Do not enter anything there, and click “Unprotect” several times, the system will put you inside with root-rights. Of course, on such a vulnerability Apple reacted instantly.
- This bug was especially dangerous for machines on which the remote access system was installed. For the rest, it is not so critical, if you do not leave the car unattended or set the screen lock. Also, the bug did not work if the device was enabled disk encryption, and the gadget was completely off. Well, those who have their own password for root, there was nothing to worry about.
(By the way, if you have a device under MacOS HIgh Sierra 10.13.1 and 10.13.2 Beta and you still have not set the root password, now is the time. Even with the patch released, it does not hurt. Seriously, install it directly now, you can not even finish reading the last paragraph.)
How significant was this vulnerability and whether it is legitimate to compare it with recent problems in a bunch of keys is a contentious issue? Immediately after the bug was reported via Twitter, Apple published instructions for installing the root password, and just a day later released an update. The vulnerability, which, according to Apple, appeared due to an error in the logic of verifying administrator credentials, received the designation CVE-2017-13872.
Crypto-Miner instead of an online consultant
Either one of the developers sensed a lucky moment and decided to pump up Monero, or the resources of the popular LiveHelpNow widget were hacked – but in the Java-script of this innocent browser applet on the eve of Black Friday, the Crypto-Miner cognitive was discovered.
- A live help now the widget is a tool for communicating on a website and is used by many online stores, including monsters such as Crucial and Everlast: according to PublicWWW, it has installed 1.5 thousand sites. That is, just specifying from the seller, whether there is “the same dressing gown, but with mother-of-pearl buttons” in the warehouse, any buyer could secretly work as an earner of crypto-currency for his uncle.
Apparently, the calculation was that no one would pay attention to the bustle of sales, that his computer would start to slow down (or not slightly). Especially since the miner was not loaded on all machines: either the attacker contrived with the code, or introduced this restriction specifically to make it more difficult to detect.
This, of course, is not the first time that miners are built into legitimate browser extensions, but the solution is still very witty.
Encryptor qkG from a single piece of macro
Caught the next malware, living in Microsoft Office macros. The beauty of this particular instance is that it does not use macros to download the combat load. He is himself a “combat load” written entirely in Visual Basic.
- The infection occurs in a typical way: the user downloads an infected Word document, opens it and clicks on the “Allow editing” button, which at the same time allows the execution of macros. The malware is launched, but it does not notice it at all – to start the subversive activity it uses the onClose function, which allows you to activate the “combat load” only after the document is closed. Perhaps this trick was unknown to the creator in the recently prepared Locky and perhaps reached his mind.
Next, qkG, firstly, disables the safe mode in “greek” and allows automatic execution of macros; secondly, it inscribes itself into the normal.dot template, which is used when creating all new documents. Now, if the user creates a Word file and sends it to a colleague by corporate mail, he will also likely shochet to his computer qkG.
- Finally, the original file and all documents created after opening it are encrypted using the XOR function, and a redemption requirement is added to their text. True, it’s quite easy to return files to the original view, because the decryption key is I’m QkG @ PTM17! by TNA @ MHT-TT2 – is contained in the encryption code.
Experts who discovered this malware found several versions of it on VirusTotal. All of them are encryptors in some ways, but they have some variety in the set of functions: in one there was a code that allows encrypting the contents of the clipboard, the other was activated by the calendar, in the third, the decryption function was added (although not active). Apparently, the unknown author is still trying his hand, playing with possible options.
In general, for a serious threat, none of the versions of qkG so far encountered are similar. Anxiety is caused not so much by malware itself as by the destructive potential of its spreading method – the technology allows you to disable fuses to run macros in the Windows registry.