Security Weekly 5

Security Weekly 5

Security Weekly 5: EternalBlue was ported to Win 10, the CIA is attacking from the file servers, marketers have invisibly infected the whole world

The adventures of EternalBlue continue: now researchers from RiskSense ported it to Windows 10. At first glance this is a destructive achievement, however, it is in this is a large part of the work of the security researcher. To protect yourself from future threats, you first need to create and test this threat, and it is highly desirable to do this before the “black hats”.

Earlier, RiskSense developed the EternalBlue-module for Metasploit, which differs from the original in that it is much worse than detecting IDS. From him through an implant DoublePulsar which is too well studied and does not know how to hide on the machine, unmasking the attack. Instead, researchers developed their own shellcode, which is able to load the right load directly.

  • The original EternalBlue, like its module for Metasploit, works only on Windows 7 and Windows XP, as well as on Windows Server 2003/2008 R2. In its report, the company analyzes in detail the entire chain of bugs used by the exploit, and it shows from the document that all systems based on the NT kernel are vulnerable to such an attack – however, defense technologies are gaining some of which EternalBlue can bypass, and some are not.
  • Senior analyst of the company Shawn Dillon expressed in the spirit that attacks of this type (heap spray) on the core of Windows – “almost a miracle,” so laborious their development, in the absence of available source code OS. Therefore, it would be easier to develop the same attack for Linux.
  • The researchers also created a version that successfully attacked Windows 10 x64 version 1511 (Threshold 2), which required the development of a new way to bypass DEP. It is noted that on other versions of Win10 a new exploit does not work. But the principle of attack is understandable, and its wide applicability is understandable.

The documentation for the CIA implant has been published for infecting networks

The American intelligence community is increasingly “pleased” with the world community of information security. Whether the NSA competes with the CIA in such a crafty PR, or in both organizations, the followers of Snowden are born – as ideological, but, nevertheless, more cautious.

CIA implant has been published for infecting networks
  • Last Thursday, WikiLeaks published a publication on the implant developed at the CIA, which turns the file server under Windows into a distribution point for malicious programs over the local network. The tool, modestly called Pandemic, replaces the files requested by the machines from the file server with trojan versions. According to the documentation, Pandemic 1.1 can replace up to 20 different files up to 800 MB in size.
  • The implant acts extremely imperceptibly, without direct access to the file. It installs the driver filter of the operating system, which allows on-the-fly modification of I / O from drives. Actually, antiviruses, analyzing files at startup, and transparent file encryption systems act in a similar way.
  • Obviously, the infection of the client machine occurs if the file from the server is launched, that is, executable files are dangerous first. However, you can not exclude the use of Pandemic with exploits, for example, for Microsoft Office – in this case, the infection will spread through the documents.

Chinese malware infected 250 million computers worldwide

The Beijing marketing agency Infotech has demonstrated a brilliant example of ruthless Chinese marketing. Not himself – he helped guys from CheckPoint, who opened a huge campaign Fireball. Modern marketing can not without a big date – the client needs to know better than his mom. Therefore, they need to be collected, as quickly as possible and more.

250 million computers worldwide infected
  • Rafotech came up with a Trojan to assemble it. Malware Fireball infects victim’s computer with very simple methods – it is installed by more or less legitimate programs (the so-called crapware) of Rafotech itself and its colleagues, and it can also be obtained in spam. It would seem that not the most powerful distribution channels, however, according to CheckPoint, the Trojan infected more than 250 million computers around the world.
  • The first thing Fireball replaces the browser installed on the search engine on a fake one, which redirects requests to Yahoo or Google, but at the same time diligently collects information for its owners. In addition, Fireball knows everything that an honest Chinese marketer might need: run arbitrary code, download and install any software from the Internet, manipulate the user’s web traffic in such a way as to generate advertising views. Technically, Fireball is promoted no worse than the more famous botnets – it excellently avoids detection (which proves the scale of distribution), and has a flexible management and control infrastructure.