Security Weekly 9: Petya has been Unmasked by malware Author, Android has closed the bug of the Broadcom chipset, Copycat has infected 14 million devices
The Trojan-Cryptolocker Petya, of course, knows a lot – breaks MBR and encrypts MFT, but to become as famous as its epigones, it did not work out. But the whole story with clones – data destroyers, apparently, so upset Janus, the author of the first Trojan-Cryptolocker, that he took and laid out the private key from him.
- However, He did not just publish it, but decided to go to the creative process and play with the “white hats”, by encrypting archive and leaving on his Twitter link to him with a hint in the form of a quote from the movie “Golden Eye”. Maybe, at least they will notice and remember. The author, apparently, a fan of Bond – from here and his nickname, and the file name with the key (Natalya), and the names of the Trojans Petya and Misha. Faster than all the riddle guessed in Malwarebytes and laid out the contents of the file:
Here is our secp192k1 privkey:
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the “Personal Code” which is BASE58 encoded.
- A researcher from Kaspersky Lab Anton Ivanov immediately checked – the key was correct. Previously, Petya was already breaking the researchers, which forced Janus to fix a mistake in the new versions of the Trojan, but now the victims of all real Petya can freely get their files back.
- This is not the first time a key has been published from a crypto-locker. For example, something like this happened a year ago with TeslaCrypt. Now Janus just closed his project, at the same time overlapping oxygen imitators, earning a slightly modified Petya. Alas, this donation will not help the victims of exPetr/non-Petya.
Google has closed the Broadpwn bug on Android
- There is an opinion that it is not easy to pick up an infection on a smartphone – it is necessary to make a specific fool: agree to download an unknown file such as adobe_flash_update_mamoi_klyanus_bez_virusov.apk, allow installation of untrusted programs and finally install everything personally. However, there is a direct and obvious threat on mobile axes – RCE-bugs, which are regularly found and closed. This time, a researcher from Exodus Intelligence announced a report on Black HAT USA 2017 about a particularly unpleasant bug CVE-2017-9417, connected with WiFi chips BCM43xx manufactured by Broadcom. They called it Broadpwn, which, should indicate the level of danger. And it allows you to run arbitrary code in the context of the kernel, and the attack is performed remotely. In addition, it is interesting that the demonstrated exploit successfully bypasses DEP and ASLR.
- There is no complete list of vulnerable smartphone models, but the author of the exploit declares that there is a bug in all flagships of Samsung, in many models of LG and HTC, as well as in several iPhone. By the way, the possibility of exploiting Broadpwn under iOS is still unknown at all, and Apple keeps silent about this bug, as you know who. Like Apple.
- In addition to Broadpwn, the latest update to Google also included patches for 11 critical holes, including the RCE-bug CVE-2017-0540, which allows a specially created file to run code in the context of a privileged process. There is this “black hole” in Android 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1 and 7.1.2. The patches will be given to the owners of Nexus and Pixel, the rest – how lucky. In general, the same feeling when Google with the next update removes several RCE vulnerabilities at once, but you understand that on your smartphone released a year ago, the patch will never be.
Trojan Copycat infected 14 million Android-devices
- And again about mobile hygiene. Let’s say, reading the norms of information security on mobile devices, do not go on your smartphone anywhere and put only known applications with millions of downloads. And still such dirty trick as Copycat, you somehow turned out and shows you tons of advertising pop-ups.
- This is an unreasoned story, about 14 million Android-devices have found themselves in this position, of which 8 million more were having a hard time to remove the Trojan because it’s got a root privilege.
- The Trojan is distributed not only by traditional methods, such as malicious landings and spam. It is being introduced into popular applications and spreading to third-party application stores that are so popular in Asia – accordingly, most of the infections are fixed in this region.
- After installing and running the application with CopyCat inside, the Trojan extracts a packet of exploit keys and tries to get root-rights in the system, and then happily injects its library into the daemon launcher Zygote process. Next, it replaces the installer parameter (install_referrer) so that it receives the money that the application publisher invests in the promotion. Also, he can substitute the advertisement displayed to the user and is able to install third-party applications, that is, acts as a guaranteed distribution channel of anything that will be ordered.