March 21, 2018 at 14:17Security Week 9: miner eliminates competitors, snag for traffic lights and extremely hacked cameras
News
Mining has become perhaps the most frequent occasion for news and the most fashionable entertainment for cybercriminals. However, where there is popularity - there is competition: at this pace, several malicious programs of different developers will soon work on every computer, not to mention scripts embedded in web pages. And CPU resources are not rubber.
An unknown craftsman thought about such a prospect and decided to play it safe: a miner Trojan appeared on the open spaces of the network, which finds and stops competitors.
The program disguises itself as a driver for HP printers and is called very convincingly: hpdriver.exe for a 32-bit system or hpw64.exe for 64-bit. Once on the computer, it first of all scans active processes and compares them with a personal list of enemies: competing processes are listed in the code by name. The distribution includes well-known Trojan miners, as well as some legitimate Windows processes, whose work for the system is not essential - all of them immediately terminate their malware. Well, then everything is as usual: the computer is groaning, the program is mining.
However, the malware is guided by a wired list of processes, so its capabilities are very limited. The next step, apparently, will be trojans with a module of behavioral analysis - these will be able to catch not only famous, but also new competitors.
News
While scientists and inventors are thinking in big cities around the world how to optimize traffic and overcome traffic jams with the help of new technologies, their colleagues have already found a way to keep familiar traffic jams even in the city of the future. And this can be done, for example, through a flaw in the standard configuration of one of the common V2I systems, I-SIG, which allows smart cars to exchange information with the intersection infrastructure, which, in turn, adjusts the traffic light mode to the traffic intensity. This technology is already in use in several American cities, including New York.
You can call the traffic jam, taking advantage of the fact that the result of the system depends on the last car arrived at the intersection. If a certain vehicle sends her multiple signals, she honestly takes each of them for a new car. Hooligans can take advantage of this simple-mindedness: a malicious smart car prepared by cybercriminals, parked near a traffic light, can force an intersection to skip non-existent cars for a long time.
However, attackers will have to try to take advantage of this vulnerability. A serious stoppage of traffic on automated streets will require thousands of smart cars. So in order to carry out major sabotage, attackers would have to come up with a way to infect them on an industrial scale. It seems that the modern implementation of V2V technology does not allow to transfer the malware from car to car.
News , more
CCTV cameras are now used almost everywhere, except perhaps for public toilets. But if they can scare ordinary scammers, then cybercriminals are more likely to be interested.
Thus, Hanwha SmartCam SNH-V6410PN cameras manufactured by Hanwha Techwin, which are most often used in private apartments and houses or small offices, have recently been a tidbit for crackers. Just think: passwords and device serial numbers are not protected from brute force, data is sent via regular HTTP, and cameras contact other devices via the cloud, access to which by any simple manipulation can be obtained by any Jabber account owner.
And what a scope for criminal activity: you can just secretly peek at the video surveillance object, you can register cameras that have not yet been registered by the owners in the cloud, or you can download malicious firmware onto devices and use them to attack other devices through the local network, since the update server’s address the configuration file is not encrypted in any way, and replacing it is not a difficult task.
One thing pleases: most of these bugs have already been successfully fixed, and what remains is hastily patched. So this, in general, is not scary. It becomes scary when you realize that the company produces not only harmless home cameras, but also many other devices, among which are: self-propelled artillery mounts and autonomous machine-gun turrets. That is, in fact, robots that have firearms and - right! - video camera.
"Astra-1010"
A very dangerous resident virus, it is encrypted, it is written to the .COM and .EXE files of the current directory when the infected file starts and then to the files that are executed. The infection algorithm for .EXE files contains a number of errors that can lead to file loss. On the 16th of the month encrypts (XOR 55h) the partition table in the MBR of the hard drive. Traces int 21h. Contains the lines: "© AsTrA, 1992", "(3)".
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.
Mining has become perhaps the most frequent occasion for news and the most fashionable entertainment for cybercriminals. However, where there is popularity - there is competition: at this pace, several malicious programs of different developers will soon work on every computer, not to mention scripts embedded in web pages. And CPU resources are not rubber. An unknown craftsman thought about such a prospect and decided to play it safe: a miner Trojan appeared on the open spaces of the network, which finds and stops competitors.
The program disguises itself as a driver for HP printers and is called very convincingly: hpdriver.exe for a 32-bit system or hpw64.exe for 64-bit. Once on the computer, it first of all scans active processes and compares them with a personal list of enemies: competing processes are listed in the code by name. The distribution includes well-known Trojan miners, as well as some legitimate Windows processes, whose work for the system is not essential - all of them immediately terminate their malware. Well, then everything is as usual: the computer is groaning, the program is mining.
However, the malware is guided by a wired list of processes, so its capabilities are very limited. The next step, apparently, will be trojans with a module of behavioral analysis - these will be able to catch not only famous, but also new competitors.
Not very smart intersection
News
While scientists and inventors are thinking in big cities around the world how to optimize traffic and overcome traffic jams with the help of new technologies, their colleagues have already found a way to keep familiar traffic jams even in the city of the future. And this can be done, for example, through a flaw in the standard configuration of one of the common V2I systems, I-SIG, which allows smart cars to exchange information with the intersection infrastructure, which, in turn, adjusts the traffic light mode to the traffic intensity. This technology is already in use in several American cities, including New York.
You can call the traffic jam, taking advantage of the fact that the result of the system depends on the last car arrived at the intersection. If a certain vehicle sends her multiple signals, she honestly takes each of them for a new car. Hooligans can take advantage of this simple-mindedness: a malicious smart car prepared by cybercriminals, parked near a traffic light, can force an intersection to skip non-existent cars for a long time.
However, attackers will have to try to take advantage of this vulnerability. A serious stoppage of traffic on automated streets will require thousands of smart cars. So in order to carry out major sabotage, attackers would have to come up with a way to infect them on an industrial scale. It seems that the modern implementation of V2V technology does not allow to transfer the malware from car to car.
Where are the surveillance cameras looking?
News , more
CCTV cameras are now used almost everywhere, except perhaps for public toilets. But if they can scare ordinary scammers, then cybercriminals are more likely to be interested.
Thus, Hanwha SmartCam SNH-V6410PN cameras manufactured by Hanwha Techwin, which are most often used in private apartments and houses or small offices, have recently been a tidbit for crackers. Just think: passwords and device serial numbers are not protected from brute force, data is sent via regular HTTP, and cameras contact other devices via the cloud, access to which by any simple manipulation can be obtained by any Jabber account owner.
And what a scope for criminal activity: you can just secretly peek at the video surveillance object, you can register cameras that have not yet been registered by the owners in the cloud, or you can download malicious firmware onto devices and use them to attack other devices through the local network, since the update server’s address the configuration file is not encrypted in any way, and replacing it is not a difficult task.
One thing pleases: most of these bugs have already been successfully fixed, and what remains is hastily patched. So this, in general, is not scary. It becomes scary when you realize that the company produces not only harmless home cameras, but also many other devices, among which are: self-propelled artillery mounts and autonomous machine-gun turrets. That is, in fact, robots that have firearms and - right! - video camera.
Antiquities
"Astra-1010"
A very dangerous resident virus, it is encrypted, it is written to the .COM and .EXE files of the current directory when the infected file starts and then to the files that are executed. The infection algorithm for .EXE files contains a number of errors that can lead to file loss. On the 16th of the month encrypts (XOR 55h) the partition table in the MBR of the hard drive. Traces int 21h. Contains the lines: "© AsTrA, 1992", "(3)".
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.