Security Week 36: black hole in the core of Windows, Adobe homograph attacks, the largest data leak in the US
EnSilo researchers announced that they found a bug in the core of Windows, but what! It may not allow the antivirus to find out about downloading the executable file. The operation of such a hole completely excludes the possibility of checking the file at startup, that is, the Trojan can actually neutralize the protective solution. The glitch was found in PsSetLoadImageNotifyRoutine, the notification function that is called when the virtual image is loaded. Without its correct operation, it is difficult to control the launch of PE files, but it was there that Microsoft developers left a bug due to which, under CERTAIN CONDITIONS, a malicious file can be launched invisibly to anyone who might be interested.
To exploit this vulnerability, the Trojan must first get into the machine somehow. Comrade Misgav from EnSilo claims that this technique is quite suitable to avoid anti-virus scanning of a file: for example, a cunning incorporeal dropper loads a Trojan onto a machine, launches it, and the antivirus receives either a curved path to an executable or a path to another file that scans.
Of course, since EnSilo reported such a problem to the press, does it mean that Microsoft has already released the necessary update? No matter how. Redmond reacted to the report as follows: since the vulnerability is exploited only on an already compromised system, no one will patch the kernel. Somewhere we already heard similar . By the way, according to Misgava, this bug is at least ten years old, and its history goes back to Windows 2000.
An attack was recorded through IDN
News homographs . A tricky title actually means that someone is trying to trick visitors to popular sites by registering domains with similar spellings. Took adobe.com, replaced with adoḅe.com. Moreover, the subscript under ḅ is not visible at all if the URL is underlined (for example, in an SMS message). It looks soooooooo much like a real site, but inside it’s not the usual profitable offer to buy Photoshop for some 100,500 rubles / month without VAT, but an intrusive update to Flash Player. Which, of course, is not a player, but the Beta Bot backdoor.The rogue Beta Bot acts impudently, disabling the antivirus and blocking access to the websites of antivirus companies. Well, then the attacker, waiting for the computer to be left unattended, enters the car as if to his home and does whatever he wants - for example, it steals data from various web forms or does any dirty tricks on behalf of the user.
Such an attack is not new - at the disposal of criminals there are many Unicode characters or even the standard ASCII table, which look like Latin, but with slight differences. Browsers have protection against homographs, but it doesn’t work if all characters in the domain name are replaced with foreign characters - the browser simply considers this to be a domain in national encoding.
Equifax have stolen the data of 143 million Americans
News. The credit bureau is a very important institution in the USA, where almost everyone lives on credit. Without a full credit history, an American has a tight time: you can’t buy a house or send children to a university. Therefore, BKI is the very place where information about every American is stored reliably and indefinitely. Moreover, there is stored information not only about how a person gives a loan, but also a lot of data used to assess creditworthiness.
And now the largest of these loan-forming enterprises - Equifax Bureau - was hacked a month ago, and the information was naturally stolen. According to the victim, this story could go sideways to about 143 million Americans, as hackers managed to steal social security numbers, driver’s licenses, dates of birth and address. Well, that is, the office still saved credit histories. Probably. They think so.
However, even without credit data, this is an extremely valuable array in terms of market conditions. Such a colossus can be used in many ways, most of which will lead to honest people becoming poorer, and dishonest ones - on the contrary. Moreover, the most interesting is that some have already made a decent profit on this incident, and these are top managers of Equifax itself. So, Bloomberg found outthat three Equifax executives, including, typically, finder, managed to quickly merge the shares of their home office when they learned about the hack (that is, before the announcement of the fact itself). What threatens such enterprise to these people is quite understandable, in the USA this is very strict.

Antiquities
“MusicBug” A non-
dangerous virus, the “Brain” method infects the boot sectors of the hard drive and floppy disks. Contains the text "MusicBug Made in Taiwan." When accessing discs, it plays several tunes. It hooks int 13h.
Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 102.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.