Archive | August 2012

Anonymous: Sabu 6-month Sentencing Wait

LulzSecSabu, mole hacker of Anonymous small groups Antisec and LulzSec, now has a wait time on his sentence, because of his cooperation with the FBI. The cooperation is done to help the FBI track down hackers involved with Anonymous, and attempt to put an end to the nonsense.

Since the FBI arrested Sabu, or his real name Hector Xavier Monsegur, last June, he’s been working undercover for them. After providing information leading to arrests of several Antisec and LulzSec members, the charges/sentencing is being waited for Sabu.

The reactions from fellow LulzSec/Anonymous members has been utter denial of his original involvement with the group, and how Sabu even got the idea that spilling the details would help the groups’ plans: “Activism and hacking, also known as Hacktivism. It involves protest against the government, corporations, news media, etc. using street protest and online blackhat hacking. Usually the hacking done by these members has been more blackhat style, in which they are doing it for the purpose of damage and to also gain money. Makes Anonymous seem more illegitimate if you look at it like that.

Although unstated what the plea deal was, Sabu is entitled to a maximum charge (after pleading guilty in March) to 124 years in prison. The charges involved 12 federal offenses, including conspiracy to commit computer hacking, and conspiracy to commit bank fraud, among other charges. Some of the things mentioned by Sabu led to other charges for hackers that were also arrested from Anonymous.

Since LulzSec’s & Antisec’s fallout, small hacking groups have appeared and then disappeared, including SpexSec and r00tbeersec. Since Sabu’s leave, Anonymous has never been the same. Who would care? Their unethical behavior must be stopped. The only way to get it to stop is to continue to hold strong to our values and beliefs. The world system cannot be perfect, and they seem to have this idea it can be. The economic difficulties all around the world complicate every year. There is no end to struggle, it’s part of life.

Trojan Shamoon Flawed and Not Up-to-Speed

As we reported a few days ago, Shamoon is a new trojan malware that has the ability to take control of a computer and then infect the MBR. However, from a full study, it does not appear to be as “up-to-speed” as researchers thought.

ThreatPost reports on the issues: “Some clumsy coding discovered during an analysis of the Shamoon malware has led researchers to conclude that it is probably not related to the Wiper malware that hit some Iranian networks recently and likely isn’t the work of serious programmers.”

“This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems,” wrote Kaspersky Lab researcher Dmitry Tarakanov in a Securelist post.

Instead, researchers are seeing that the Shamoon malware only steals data from the machine, before infecting the MBR. Some consider the work of Shamoon malware, like we also do, the work of a skiddie.

Also, it seems the malware is misbehaved, because it relies on a Windows Service, set to Start and Run Automatic. If the Service is stopped, half the malware doesn’t work. This kind of peculiar sense shows that this Shamoon malware may just be a test of the abilities of the hacker, and could possibly lead to other complicative malware.

As usual, stay tuned here for more updates in the future on the Shamoon malware.

 

Adobe Releases Subsequent Updates for 6 Flaws

New releases of update from Adobe come a week after their recent release, which was critical. Having subsequent updates for critical flaws begs the question of whether or not Flash Player is safe. Looks as if AIR was affected, as well. This patching closes six vulnerabilities, helping to safeguard against hackers.

These platforms are affected, and now have a patch available for download:

  • Windows (New update: 11.4.402.265)
  • Mac (New update: 11.4.402.265)
  • Linux (New Update)
  • Android (New Update)

The customized Google Chrome version (Pepper) should be automatically update to version 11.3.31.230 for PC and 11.4.402.265 for Mac.

For Windows and Mac users, bear in mind the new Adobe AIR 3.4.0.2540, which you should include with your updates for Flash Player.

Last week’s update included a critical flaw (CVE-2012-1535) in Adobe Flash Player.

For this week’s update, it fixes the following, according to Adobe:

  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
  • These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).
  • These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168).

 

r00tbeersec Returns with Philips Hack

 

Today, it has been discovered r00tbeersec making its return with the hack on Philips. As we reported yesterday, r00tbeersec is a new hacking group apparently wanting to make a grand entrance in to the hacking world. Plaintext passwords were revealed in the hack against Philips. First AMD…now Philips. For those who don’t know, Philips is a Dutch-based technology extraordinaire.

Anyway, Philips is the victim of a few small SQL database leaks. Maybe a few skiddie SQL hacks. In the databases that were leaked, phone numbers, passwords and hashes, and even addresses were leaked. These databases were storing plaintext passwords, which is known to be quite a vulnerability. Those passwords should be in encrypted databases, not in plaintext.

Of course, poorly chosen passwords were found, just like a poor database (unencrypted). All in all, their company was just waiting/asking to be attacked, per speculation. And of course, r00tbeersec wanted to show off their 200,000 spilled email addresses.

In case you’re wondering, password security is still a problem. Read more here.

Need more Speed? Check for PC issues causing slowdown and try out Speed Tools to improve PC Speed.

r00tbeer or r00tbeersec Making Rounds with AMD, Data Breach

New hacking group dubbed r00tbeersec, with main leader r00tbeer has posted details about an attack on AMD blogging, the Intel chips rival. Some 30 KB of data was apparently stolen, that contained a total of 189 usernames/passwords from their WordPress blog site.

The main AMD blogs site shows the following image (after redirect):

New Android Botnet SMSZombie Makes Appearance

Originally showing up in Chinese Android Market, this SMSZombie malware has the ability to steal money in fraudulent SMS payments. It has apparently infected some half-a-million Android smartphones. A flaw has been detected in the China Mobile Android SMS Payment System, which would allow hackers to exploit it and steal money.

Announced by TrustGo, they had a peek inside different apps on the GFan Android Market, and discovered the infected app, which attempts to take control of the device once installed.

“The SMSZombie virus has been hidden in a variety of wallpaper apps and attracts users with provocative titles and pictures. When the user sets the app as the device’s wallpaper, the app will request the user to install additional files associated with the virus. If the user agrees, the virus payload is delivered within a file called ‘Android System Service’,” the researchers at TrustGo wrote in an analysis.

The malware has the ability to send fraudulent payments back to the attackers via SMS, without the user’s consent. With the ability of controlling the device, it can also set the device up for botnet, turning it into a zombie. That is why the malware is dubbed SMSZombie. Finally, the malware installs a configuration file, like any good botnet zombie would have, which can be updated at any time by the hackers.

 

Protect your device now with Kaspersky Mobile Security.

New Trojan Malware “Shamoon” Overwrites Files, Infects MBR

Get some Popchips and have seat and read the newest info about a new MBR-infecting malware. Now, let’s keep in mind these won’t be new techniques, just a new name for an old technique.

According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization’s network.

The second stage — which kicks off after the malware has done its dirty work — overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable. via ComputerWorld

For the attacking process, it also allows the command-and-control server to be in effect from a second computer (huh?), in which the first computer originally communicated that data to. Which means, there is an alternative trojan being used on the second computer that accepts the data and communicates to the servers for the hackers privately.

We call this second computer a “master”. Which means it is the core computer used to send data to the server. This second computer can accepts data from multiple computers, not just one first computer (hope that makes sense). This is a similar method to the botmasters we see on the IRC networks. Very similar work done, except only automatic.

Shock is found that malware is crippling the computer, after the data is stolen. Normally, malware writers or hackers tend to just withdraw from a computer and no damage is done, except maybe one or two infected files. It is unknown at this point what the algorithm is to overwrite the files, but it is known that the MBR shall be infected in this process.

What does this malware like to overwrite though? Documents, pictures, videos, etc. It likes to kill personal, salvageable data. Sadly, even after removing the malware, your data cannot be recovered. It doesn’t hold it for ransom. It just overwrites it. Right now, it is also unknown whether or not it overwrites the files with malicious code that – when executed – will distribute more malware to the computer. That is… if the computer can be disinfected of the MBR infection first… and hopefully the operating system is accessed.

In the end, it’s just another malware to be removed!

Now, time for technical details:

Main files:

Reporting agent (keeps in touch with hacker) %systemroot%\system32\netinit.exe

Dropper (distributed malware on system) %systemroot%\system32\trksrv.exe

Kernel Mode Driver (clean driver used to gain root access, so MBR can be infected) %systemroot%\system32\drivers\drdisk.sys

File wiping module (literally wipes files on the system) %systemroot%\system32\[RANDOM_NAME].exe

Service information for trksrv.exe:

Display Name: Distributed Link Tracking Server

Service name: TrkSrv

File name: trksrv.exe

After done with its MBR deletion or modification methods, you may get one of few messages on system startup:

  • Operating System not found (75% of the time probably)
  • (Windows Advanced Options Menu Appears) Windows has failed to start… (10% of the time probably)
  • Blue Screen of Death (other 15% of the time probably)

The statistics in parentheses are only speculation. It is imagined that no matter what, system failure or unlikely to boot is caused by this malware. Beware!

 

Purchase Malwarebytes’ Anti-Malware to protect against the download and install of computer-controlling malware.

In addition, it is best to have a good data backup plan, in order to prevent damage due to malware like this. Please consider the following as a purchase of your next protection method:

%d bloggers like this: