March 1, 2018 at 00:21Security Week 6: “the bewitched letter” threatens apple growers, with a captcha world - rogue Monero, mining is now also in Word
→ News
Most of us use a maximum of two keyboard layouts in everyday life and it is unlikely that we think that the applications that we run daily must understand and correctly display thousands of characters from hundreds of languages. And if you forget at least one sign, the whole program may collapse like the Tower of Babel.
Unfortunately, this story is not a parable, but a story about a very real bug that hung or crashed iOS applications when they tried to reproduce one of the two Unicode characters for the Telugu language. The problem arose on some versions of iOS in applications using the default San Francisco font, and caused a lot of inconvenience to users who did not expect a trick.
Imagine: you go to the social media feed from your favorite iPhone, and there someone like you or like someone else who is unfamiliar with strange characters in your name. Well, you think you are probably a foreigner ... and you don’t have time to think about anything else, because you immediately become full of other worries: the application you entered hangs tight and refuses to work. You reset it and try to download again, but nothing happens - you have to demolish and reinstall it. After reinstallation, everything finally worked. You go to your feed - and there again this user. Crash, reboot, reinstall, repeat until all hair on the head is torn out ...
In general, it looks like a typical “text bomb” - but not really at all. "Text bombs" are usually created by intruders or just hooligans and are a piece of executable code. However, Telugu is not a programming language, but a normal human language, spoken by nearly 80 million people in India and other countries. One of the authors of Motherboard gives an example: his own Twitter “hanged himself” from the likes of an ordinary user who had no hooligan intentions at all. Just to display some characters, the CoreText library accesses an invalid memory sector. The system perceives this as a serious mistake, panics and collapses the component that has been penalized.
The new “text bomb” makes such popular applications as mail, Twitter, instant messaging, Slack, Instagram and Facebook (and this is not a complete list). Not only iPhones, but also other Apple devices - watches, televisions - were at risk ... And if one of the Telugu symbols appears in pop-up notifications, then not one of the installed applications is blocked, but SpringBoard is a key part of iOS. Then the device falls into an endless reboot cycle, and it is necessary to reinstall the entire system on it. So if, while reading this article, you are thinking about whether or not to play any familiar Apple fan in this way, you better refrain. Moreover, the bug is already fixed in the new beta versions of iOS, tvOS, macOS and watchOS, and in the near future Apple promises to deploy the patch in other systems.
→ News
Have you ever been cursing for about ten minutes trying to enter captcha from a phone with its small on-screen keyboard? So, scammers figured out how to weld, or rather, mine, on your inconvenience.
Researchers discovered a new mining method aimed at Android mobile devices when they studied one campaign of malicious ads. Checking different chains of bad advertising, they noticed an interesting pattern: if you click on certain banners from a desktop computer, you get to a fake tech support site. And if you click from the phone, the browser displays a big and scary notification in red and black: they say that your device exhibits suspicious behavior, prove that you are not a robot - enter captcha. In the meantime, if you do not, we will mine Monero on your device to compensate for your expenses.
And after all, what is most amusing, offenders hardly lie, unless they shift their emphasis a bit - mining is not “carried out because of suspicious behavior”, but it is this behavior itself. And when the user enters the captcha, mining honestly stops, and the Google start page appears in front of the user.
But such “openness” is little comfort, because crypto injectors in their most indecent form can not only slow down the phone, but also lead to serious damage to the battery - as Kaspersky Lab experts have learned from their own bitter experience, examining the multi-functional Loapi malware in December .
However, this particular campaign, which has been ongoing since at least November 2017, seems to be more harmless. And it’s unlikely that he collects millions: since the processors of the phones are low-power, users need to be detained for a very long time on the captcha page in order to bring significant money. Researchers checked five domains used by scammers. They are visited by only 800 thousand users per month, and each spend on the mining page an average of 4 minutes. Of course, in reality, attackers probably have more domains, but according to preliminary estimates, their earnings hardly exceed several thousand dollars a month.
→ News
Any bug can be turned into a feature if properly served, and any feature with due imagination becomes a bug - the law of unity and struggle of opposites in action. And given the current popularity of Monero and Coinhive service, it will be remembered by night, any near-browser bug immediately begins to be used for mining. Now it’s the turn of Word, in which Microsoft has added the ability to embed an iframe tag to display video from third-party sites. (Here we wanted to joke that mining soon awaits us through weather widgets, but it turned out that someone had thought of this before.)
So, back to Word: in the "wild" so far there have been no cases of mining through documents with iframes, but it’s simple to implement. The thing is that, firstly, Word does not limit what sites or domains the video is downloaded from; secondly, the pop-up window in which the video is played, in fact, is an Internet Explorer browser with a cut-off interface. This means that you can run scripts in it - including crypto-jacking ones.
True, it’s not very profitable to get cryptocurrency through documents: for this you have to make the user watch the video in the document for a very long time. You can, of course, insert a video more authentically or artificially stretch the time with the loading screens, but in general it is much more profitable for fraudsters to remove the intermediate stage and simply start their own streaming service - for example, with a porn, so that visitors certainly stick for a long time.
Microsoft, by the way, does not consider this vulnerability a security risk. It is also logical: the business of manufacturers is to provide a useful opportunity, and the business of users is to show prudence. Moreover, the crypto-jacking script built into the video display code is easily detected by the antivirus.
Boot-Exe Family
Resident harmless viruses are written to EXE files and the boot sector of disks. The boot sector of the hard drive is infected when the infected file starts, the boot sectors of floppy disks when it is read from the disk. The initial Boot sector is stored on the hard drive at 0/0/11 or 0/0/12 (head / track / sector), on a floppy disk - at 1/0/3. EXE files are affected by a rather original algorithm: viruses analyze the information read (int 13h) from the disk. If the header of the EXE file lies in the sector read from the disk (the first two bytes are “MZ”, some other conditions are fulfilled), then the virus is written to free space in this header and saves the modified sector to disk. That is: a) when a file is infected, its length does not increase; b) it is not required to process attributes, file time and critical errors (int 24h).
It doesn’t show up in any way, it hooks int 13h.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.
Most of us use a maximum of two keyboard layouts in everyday life and it is unlikely that we think that the applications that we run daily must understand and correctly display thousands of characters from hundreds of languages. And if you forget at least one sign, the whole program may collapse like the Tower of Babel. Unfortunately, this story is not a parable, but a story about a very real bug that hung or crashed iOS applications when they tried to reproduce one of the two Unicode characters for the Telugu language. The problem arose on some versions of iOS in applications using the default San Francisco font, and caused a lot of inconvenience to users who did not expect a trick.
Imagine: you go to the social media feed from your favorite iPhone, and there someone like you or like someone else who is unfamiliar with strange characters in your name. Well, you think you are probably a foreigner ... and you don’t have time to think about anything else, because you immediately become full of other worries: the application you entered hangs tight and refuses to work. You reset it and try to download again, but nothing happens - you have to demolish and reinstall it. After reinstallation, everything finally worked. You go to your feed - and there again this user. Crash, reboot, reinstall, repeat until all hair on the head is torn out ...
In general, it looks like a typical “text bomb” - but not really at all. "Text bombs" are usually created by intruders or just hooligans and are a piece of executable code. However, Telugu is not a programming language, but a normal human language, spoken by nearly 80 million people in India and other countries. One of the authors of Motherboard gives an example: his own Twitter “hanged himself” from the likes of an ordinary user who had no hooligan intentions at all. Just to display some characters, the CoreText library accesses an invalid memory sector. The system perceives this as a serious mistake, panics and collapses the component that has been penalized.
The new “text bomb” makes such popular applications as mail, Twitter, instant messaging, Slack, Instagram and Facebook (and this is not a complete list). Not only iPhones, but also other Apple devices - watches, televisions - were at risk ... And if one of the Telugu symbols appears in pop-up notifications, then not one of the installed applications is blocked, but SpringBoard is a key part of iOS. Then the device falls into an endless reboot cycle, and it is necessary to reinstall the entire system on it. So if, while reading this article, you are thinking about whether or not to play any familiar Apple fan in this way, you better refrain. Moreover, the bug is already fixed in the new beta versions of iOS, tvOS, macOS and watchOS, and in the near future Apple promises to deploy the patch in other systems.
On non-robots Monero carry
→ News
Have you ever been cursing for about ten minutes trying to enter captcha from a phone with its small on-screen keyboard? So, scammers figured out how to weld, or rather, mine, on your inconvenience.
Researchers discovered a new mining method aimed at Android mobile devices when they studied one campaign of malicious ads. Checking different chains of bad advertising, they noticed an interesting pattern: if you click on certain banners from a desktop computer, you get to a fake tech support site. And if you click from the phone, the browser displays a big and scary notification in red and black: they say that your device exhibits suspicious behavior, prove that you are not a robot - enter captcha. In the meantime, if you do not, we will mine Monero on your device to compensate for your expenses.
And after all, what is most amusing, offenders hardly lie, unless they shift their emphasis a bit - mining is not “carried out because of suspicious behavior”, but it is this behavior itself. And when the user enters the captcha, mining honestly stops, and the Google start page appears in front of the user.
But such “openness” is little comfort, because crypto injectors in their most indecent form can not only slow down the phone, but also lead to serious damage to the battery - as Kaspersky Lab experts have learned from their own bitter experience, examining the multi-functional Loapi malware in December .
However, this particular campaign, which has been ongoing since at least November 2017, seems to be more harmless. And it’s unlikely that he collects millions: since the processors of the phones are low-power, users need to be detained for a very long time on the captcha page in order to bring significant money. Researchers checked five domains used by scammers. They are visited by only 800 thousand users per month, and each spend on the mining page an average of 4 minutes. Of course, in reality, attackers probably have more domains, but according to preliminary estimates, their earnings hardly exceed several thousand dollars a month.
Mining through Word, or experts know a lot about perversions
→ News
Any bug can be turned into a feature if properly served, and any feature with due imagination becomes a bug - the law of unity and struggle of opposites in action. And given the current popularity of Monero and Coinhive service, it will be remembered by night, any near-browser bug immediately begins to be used for mining. Now it’s the turn of Word, in which Microsoft has added the ability to embed an iframe tag to display video from third-party sites. (Here we wanted to joke that mining soon awaits us through weather widgets, but it turned out that someone had thought of this before.)
So, back to Word: in the "wild" so far there have been no cases of mining through documents with iframes, but it’s simple to implement. The thing is that, firstly, Word does not limit what sites or domains the video is downloaded from; secondly, the pop-up window in which the video is played, in fact, is an Internet Explorer browser with a cut-off interface. This means that you can run scripts in it - including crypto-jacking ones.
True, it’s not very profitable to get cryptocurrency through documents: for this you have to make the user watch the video in the document for a very long time. You can, of course, insert a video more authentically or artificially stretch the time with the loading screens, but in general it is much more profitable for fraudsters to remove the intermediate stage and simply start their own streaming service - for example, with a porn, so that visitors certainly stick for a long time.
Microsoft, by the way, does not consider this vulnerability a security risk. It is also logical: the business of manufacturers is to provide a useful opportunity, and the business of users is to show prudence. Moreover, the crypto-jacking script built into the video display code is easily detected by the antivirus.
Antiquities
Boot-Exe Family
Resident harmless viruses are written to EXE files and the boot sector of disks. The boot sector of the hard drive is infected when the infected file starts, the boot sectors of floppy disks when it is read from the disk. The initial Boot sector is stored on the hard drive at 0/0/11 or 0/0/12 (head / track / sector), on a floppy disk - at 1/0/3. EXE files are affected by a rather original algorithm: viruses analyze the information read (int 13h) from the disk. If the header of the EXE file lies in the sector read from the disk (the first two bytes are “MZ”, some other conditions are fulfilled), then the virus is written to free space in this header and saves the modified sector to disk. That is: a) when a file is infected, its length does not increase; b) it is not required to process attributes, file time and critical errors (int 24h).
It doesn’t show up in any way, it hooks int 13h.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.