CyberInsecure.com

Archive for the ‘Hardware’ Category

Recent versions of the notorious “Zlob” Trojan are checking the victims for wireless or wired hardware router. The Trojan attempts to guess the password needed to administer the suitable router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS translate names into IP addresses and changed settings might expose victims Internet traffic.

The new Zlob Trojan, also known as DNSChanger, is using same old technique and presents itself as a video codec required to view content on certain infected websites. When installed in the system, it tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers. The DNS hijack occurs during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim’s router.

This appears to be the first time this behavior has been spotted in malware released into the wild. This new function should worry users since Zlob is among the most “popular” types of Trojans downloaded onto Windows machines (14.3 million instances of Zlob-related malware from customer machines in the second half of 2007, according to Microsoft).

Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Users will not look to the router settings, if the Internet connection seems to be functioning fine. In reality, the router might still send traffic to malicious logging servers, even when the system is virus-free.

Sunbelt confirms that the malware successfully changes DNS settings on a Linksys router (model BEFSX41). It was a new, of the factory, box with a default username and password. Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked. According to Eric Sites, chief technology officer at Sunbelt, this is something they have not seen before and it was only a matter of time before someone started using this attack. Sites said his team is testing the new Zlob variants against multiple routers to see how they fare against the malware.

Captured traffic shows that the new Zlob variant is trying to reconfigure different routers by requesting the local Web page for various “setup wizards” that ship with the devices. Routers on machines infected by Zlob/DNSchanger should be reset to its default configuration if the settings have been changed. If there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router. Otherwise,the malware will simply go back and change the router’s DNS settings a few minutes after the reboot. You will need to reconfigure any security settings you had in place prior to the reset.

Credit: Sunbelt Blog, Washingtonpost Security Fix Blog

An attack, demonstrated by Rich Smith from HP Systems Security Lab at the EUSecWest security conference in London, showed that embedded systems hardware can be damaged beyond repair. The attack could be carried out remotely over the internet.

The attack was demonstrated for the first time in London on Wednesday and was called by Smith “permanent denial of service”. The attack thrashes systems by abusing firmware update mechanisms and if successful, the so-called “phlashing” attack would force victims to replace systems and cause financial damage.

Theoretically the attack could be cheaper and more effective (as the damage caused would be harder to recover from) than conventional denial of service attacks, which typically rely on hackers paying to rent control of a network of compromised PCs.

The new approach relies on exploiting frequently unpatched vulnerabilities in embedded systems, such as flaws in remote management interfaces, to get access to a system. That alone wouldn’t be enough, but because firmware updates are seldom secured, the possibility exists of making an update that effectively trashes a system.

Smith is calling on vendors to authenticate the mechanism as one way of defending against such attacks. He is demonstrating a tool to search for vulnerabilities in firmware, as well as an attack mechanism to corrupt vulnerable firmware at EUSecWest.

Another presentation at EuSecWest will demonstrate a proof of concept rootkit capable of covertly monitoring and controlling Cisco routers. The Cisco IOS rootkit software was developed by Sebastian Muniz, of Core Security and was recently reported.

Security researchers have discovered a new technique for developing rootkits, malicious packages used to hide the presence of malware on compromised systems.

Instead of hiding a rootkit in the virtualisation layer, the rootkit can be smuggled into System Management Mode (SMM), an isolated memory and execution environment supported in Intel chips that’s designed to handle problems such as memory errors.

By running rootkits in SMM, miscreants could make hidden malware harder to detect, since they’re hiding code in an area anti-virus scanners don’t check. A proof of concept to be demonstrated at the Black Hat conference in Vegas in August.

SMM code is invisible to the Operating System yet retains full access to host physical memory and complete control over peripheral hardware. A proof of concept SMM rootkit can already function as a chipset level keylogger. The rootkit hides its memory footprint, makes no changes to the host Operating System, and is capable of covertly send sensitive data across the network while evading essentially all host based intrusion detection systems and firewalls.

While keeping the rootkit well away from the operating system makes the malicious code more stealthy, it also introduces problems. Hackers would need to develop device specific driver code, a factor that makes attacks far more difficult.

In late February the FBI broke up a counterfeit distribution network, seizing an estimated $3.5 million (£1.75 million) worth of components manufactured in China. This two-year FBI effort, called Operation Cisco Raider, involved 15 investigations run out of nine FBI field offices.

The US Federal Bureau of Investigation is taking the issue of counterfeit Cisco equipment very seriously and refer to the problem as a “critical infrastructure threat”. According to FBI, the fake Cisco routers, switches and cards were sold to the US Navy, the US Marine Corps, the US Air Force, the US Federal Aviation Administration, and even the FBI itself. Since 2007, the Defense Advanced Research Projects Agency has funded a program called Trust in IC, which does research in this area.

Last month, researcher Samuel King demonstrated how it was possible to alter a computer chip to give attackers virtually undetectable back-door access to a computer system. King, an assistant professor in the University of Illinois at Urbana-Champaign’s computer science department, has argued that by tampering with equipment, spies could open up a back door to sensitive military systems. He said the slides show that this is clearly something that has the FBI worried.

Cisco believes the counterfeiting is being done to make money. The company investigates and tests counterfeit equipment it finds and has never found a “back door” in any counterfeit hardware or software, said spokesman John Noh. “Cisco is working with law enforcement agencies around the world on this issue.”

The company monitors its channel partners and will take action, including termination of a contract, if it finds a partner selling counterfeit equipment, he said. “Cisco Brand Protection coordinates and collaborates with our sales organizations, including government sales, across the world, and it’s a very tight integration.”

The best way for channel partners and customers to avoid counterfeit products is to buy only from authorized channel partners and distributors, Noh said. They have the right to demand written proof that a seller is authorized.

The FBI doesn’t seem satisfied with this advice, however. It seems Cisco’s gold and silver partners have purchased counterfeit equipment and sold it to the government and defense contractors.

Yoggie has announced a new Linux-based computer on a seamless PCMCIA card for laptops called “Gatekeeper Card Pro”. A designed to off-load installed security software from your laptop, the card is a security-dedicated mini-server with its own processor, memory and hardened operating system that extends corporate-level security to traveling laptops. Gatekeeper Card Pro blocks all Internet threats before they reach laptop’s operating system. Users also benefit from “additional security features and improved laptop performance”.

Gatekeeper Card Pro is packed with Anti-Virus, Anti-Spam, Anti-Phishing, Anti-Spyware, Intrusion Detection System, Intrusion Prevention System, Firewall, VPN Client, Web Filtering/Parental Content Control, Transparent Email and Web, Proxies, Adaptive Security Policy, Multi-Layer Security Agent, Layer-8 Security Engine.

The card is inserted directly into a laptop’s ExpressCard slot, allowing users to benefit from transparent Internet security. According to Yoggie, the card provides the following features:

Blocks Internet threats outside, before they reach your laptop.
Hides laptop from Internet Hackers.
Boosts laptop’s performance.
Protects from known and unknown attacks.

The new card should be available since May 26 for a price of 200$.

HP Australia has warned that optional USB keys shipped with some of its Proliant servers are infected by malware.

A batch of 256MB and 1GB USB keys that ship with the servers are infected by the Fakerecy and SillyFDC viruses. The keys are involved in installing optional floppy-disc drives. It’s unclear how many infected USB sticks were distributed.

Fakerecy and SillyFDC are both low-risk worms that spread by copying themselves onto removable media. The malware likely got onto Proliant USB disks via an infected machine in a factory rather than as some part of a targeted attack.

The incident isn’t very threatening since the malware simply isn’t potent enough to do anything useful from the point of view of hackers. It’s also hard to believe that anything but a very small minority of shops would need to support floppy discs on Proliant servers, thereby risking exposure.

Nonetheless the incident illustrates the growing use of USB drives as a vector for viral infection. Previous incidents of infected devices coming out of the factory have cropped up infrequently over the last few months. To date these incidents have involved digital photo frames and the like.

Up to date anti-virus software would detect both the viruses involved in the Proliant USB attack. But that may not help in cases where security software is installed onto servers after floppy disc support is added. Disabling autorun thwarts both the Fakerecy and SillyFDC worms and may be the better option.

You can protect yourself against USB-based (and Fireware) malware with few simple steps:

1) Take the vendor who made the device and do a google news search on it. Odds are you aren’t the first to buy it and if it comes with badware it may be news. If you see a story about it, check the vendor webpage and see if you can compare serial numbers of infected/non-infected versions.

2) Every time you get a USB device scan it for malware before you use it with your anti-virus software’s latest DATs. This includes picture frames, USB keys, SD Cards, USB/Fireware harddrives, iPods, MP3 players, everything.

3) If you do receive a malware hit, try to report and forward it to anti-virus vendors.

4) Even if you do not see any malware, there is a possibility you are not safe. If you notice “odd” behavior of your machine (connections to a random machine you don’t know, changing your default homepage, etc), be wary. Update your DATs and scan with anti-virus.

6) Turn off “autorun” software on your operating system. It makes life less convenient, but it saves you from automatically running software that you don’t want. If you want complete safety and it doesn’t void your warranty/ability to return the device or make the device irrelevant format the drive completely using a data shredder or other tool to torch every single byte that is on the device.

Suspicious port scanning that’s been tracked back to D-Link Inc. routers may mean a worm or bot is on the loose and infiltrating the popular brand’s devices using a three-year-old vulnerability, security researchers at Symantec Corp. said today.

The security company issued a warning Monday night to customers of its DeepSight threat notification service saying that there were “reliable reports” of an in-the-wild worm or bot that was attacking, then installing itself, on D-Link routers. By Tuesday, however, Symantec had taken a step back.

“After looking into it, we decided that that was a little misleading,” said Oliver Friedrichs , a director of Symantec’s security response team. “It’s unconfirmed at this point. But we have definitely seen an increase in attack activity, and that activity appears to be coming from other D-Link devices.” In other words, although Symantec’s researchers haven’t gotten their hands on a worm or bot sample, all the evidence points in that direction. “We suspect that it’s a bot,” he said.

The attacks against the D-Link routers begin with hackers scanning TCP port 23 for an active SNMP (Simple Network Management Protocol) service, a flaw that first showed up in D-Link router firmware in 2005. It looks like they’re exploiting the SNMP vulnerability to reset and reconfigure the administrative password on the routers, perhaps to conduct “drive-by pharming” attacks that change a router’s settings so its users are unknowingly directed to bogus or malicious Web sites instead of the real URLs.

Router vulnerabilities are up and attacks against routers are on the upswing, especially attacks that target devices used by consumers and small businesses to create wireless networks. Attackers are increasingly looking “beyond the desktop” for new places to install (and hide) their malware.

Port scanning activity Symantec is seeing as “moderate” and said the researchers will continue to investigate. He and his team, however, had not been able to verify that the vulnerability had been patched, and if so, when, or which specific models of D-Link’s routers might be at risk.

D-Link officials did not respond to a call for comment.

D-Link router owners: make sure that your SNMP service is not exposed to the Internet.

SlySoft has recently announced a new versions of their software called AnyDVD HD version 6.4.0.0 which allows to copy Blu-Ray discs, protected not only by AACS but also by BD+. This technology (BD+) has been created in June 2007 which means it’s been cracked faster than the AACS.

In October of 2007 SlySoft announced they managed to bypass BD+ protecting algorithm. It was partially functional since a user could copy the movie to his PC but not to burn it on his own Blu-Ray disc. Later there was a release of a new software version that managed to copy BD+ protected discs and in March 19 2008 a new version 6.4.0.0 release can copy any Blu-Ray discs. According to SlySoft they also improved copying of 20th Century Fox discs.

SlySoft is registered in Antigua & Barbuda in the Caribbean. Local Legislation in Antigua & Barbuda does not prohibit digital media copyrights bypass.

A renegade group of developers called “iPhone Dev Team” claimed they cracked Apple’s not-yet available iPhone 2.0 software.

The iPhone Dev Team claims to have cracked the software, meaning yet more pressure on Apple Inc. in the cat and mouse game between software developers and the owners of a million unlocked iPhones and the company and its network partners. They also say they have decrypted and have jailbroken the new iPhone software, and have published a series of screenshots of third-party applications running on the device. The jailbreak currently works only with hacked activation, meaning it won’t work with AT&T iPhones yet.

Apple executives have characterized the buoyant global market in unlocked iPhones as a positive thing, suggesting strong pent-up demand for the product, which is as yet available in just four markets: U.S., U.K., Germany and France.