M32 Security » Software

Mobile Carriers In Very Hot Water Over Carrier IQ “Rootkit”

Kyle — Thu, 01 Dec 2011 19:04:55 +0000

Image via CrunchBase

I first took attention to Carrier IQ when it was discovered by custom ROM developers for the phone I personally have; the Sprint Epic4G made by Samsung. The device is part of the massively popular Galaxy S line of Android-powered devices that virtually every major cellular carrier in the world sells. Around June, it was discovered that this software records virtually everything a user does with their phone from each screen-tap to every site they visit to recording audio and even the physical orientation of the device itself.

A thread (which I now cannot find on XDA-Developers) outlined this “middleware” and it was surmised that individual Carriers like Sprint used it solely for coverage and troubleshooting issues. An effort was undertaken to remove this software from the Android Linux kernel as it was discovered to hinder the device’s performance. Developers notably had a very difficult time removing Carrier IQ, but managed to eventually remove it for their custom Android ROMs.

Fast forward to Fall of 2011 where a developer named Trevor Eckhart decided to look into Carrier IQ a bit deeper and found that Carrier IQ was essentially a rootkit and actually recorded almost all actions performed with a device it was installed on and phoned home with that information. He has released a video showing proof of Carrier IQ recording his location with location turned off, un-encrypted HTTPS streams, all SMS messages sent/received, and even EVERY touch of the device screen he makes.

Carrier IQ Part #2

Essentially what everything boils down to is that carriers can spy on literally everything you do with your phone. This is obviously a blatant violation of privacy rights and repercussions are sure to come. Developing…

Carrier IQ Rootkit Reportedly Logs Everything On Millions Of Phones (pcworld.com)
You Can Test Your Android For Carrier IQ (Sort Of) [Carrier Iq] (gizmodo.com)
People Are Freaking Out About Carrier IQ, The Hidden Smartphone Program That Tracks Everything You Do (businessinsider.com)
Carrier IQ: How To Find It, And How To Deal With It – TechCrunch (techcrunch.com)
Silicon Alley Insider: RIM: We Do Not Authorize Carrier IQ On BlackBerry Phones (RIMM) (businessinsider.com)
Verizon: No CarrierIQ, No way (gigaom.com)
So, there’s a rootkit hidden in millions of cellphones (zdnet.com)
Phone ‘Rootkit’ Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases (textually.org)

Tags: Android, CarrierIQ, Cell, developers, eckhart, galaxy, isc, kit, Logs, middleware, power, release, Rootkit, Samsung, SMS, Sprint, Trevor Eckhart, tw, violation of privacy, XDA Developers

WordPress.org Possibly Compromised, Resets ALL Passwords

Kyle — Wed, 22 Jun 2011 00:40:44 +0000

WordPress founder Matt Mullenweg posted on WordPress.org’s News page today that several popular WordPress plugins had changes committed to them that had been determined to not be from their developers. The commits actually added back doors that would compromise potentially hundreds of thousands of WordPress installations that utilized them. As a precautionary measure, all changes were reverted for these plugins and ALL passwords to WordPress.org, BuddyPress.org, and bbPress.org reset. There aren’t many more details as of yet, but there is sure to be a witch hunt over the integrity of WordPress.org’s security as well as all code that powers the CMS.

Tags: Addthis, BuddyPress, cms, code, Compromised, founder, Matt Mullenweg, News, Security, W3 Totalcache, WordPress, wordpress plugins, wordpress.org, WPTouch

LulzSec Hacks Sony…Again…And Scores PSN Source Code

Kyle — Tue, 07 Jun 2011 00:56:38 +0000

LulzSec, also known as Lulz Security, which has become infamous for their past and more recent hacks including PBS and Sony, has hacked Sony HQ…again. This time they scored around 54 megabytes of the developer’s source code to the PlayStation Network. What does it mean? Hold on to your butts. The group published a press release detailing the hack while simultaneously releasing all stolen code to the public through various channels. The implications of this are enormous, as Sony’s PSN is now wide-open to any exploits found in the previously obfuscated code. Expect Sony’s problems to continue for a while.

The targeting of Sony stems from their legal assault on George Hotz, otherwise known as GeoHotz, who had found and published a way to circumvent protection mechanisms on the PlayStation 3. This was a big deal after the company removed the “Other OS” feature through a firmware update that allowed the installation of Linux on the console to use the powerful IBM Cell processor that powers the machine. The PS3 has been known to be used by organizations like the US Air Force in supercomputer clusters due to the Cell processor’s vastly superior floating-point performance which is highly desired for processing large amounts of data for modeling.

Stay tuned…

Tags: ACHIEVEMENT, Cell, floating point, geohotz, George Hotz, IBM, ibm cell processor, legal assault, lulz, LulzSec, OtherOS, pbs, playstation 3, point performance, ps3, psn, release, sony hq, Source, supercomputer

The Evolved GPU: Password Killer?

Kyle — Sun, 05 Jun 2011 22:42:35 +0000

Since the advent of Open CL and technologies like Nvidia’s CUDA that use the massive potential in the evolved design of today’s Graphics Processing Units to aid in other areas of computing that require massive repetitive, parallel processing power, there has been a lot of new applications that were before impractical with standard CPUs to do. One of them is brute-forcing passwords. The trend in the modern GPU mixed with Moore’s law may actually make even some of the strongest password schemes obsolete. ZDNet’s Adrian Kingley-Hughes has a good writeup on it and the implications that may come of the trend in GPUs.

Tags: computing, cuda, gpu, GPUs, nvidia, OpenCL, parallel processing, Password, password schemes, power, processing units

Zeus v3 Trojan Silently Siphoning Money From UK Bank Accounts

Kyle — Thu, 12 Aug 2010 03:19:40 +0000

Security research firm M86 Security (no relation) has posted a whitepaper outlining how cyber-criminals started utilizing the Zeus v3 trojan in conjunction with the Eleonore, Phoenix, and Siberia Exploit Kits to siphon £675,000 (~$1.05 million USD) so far from UK victims’ systems that have been compromised. The attack started on July 5th and has continued silently ever since. The main reason why the theft hasn’t been successfully mitigated thus far is because of the Zeus trojan’s extreme difficulty to detect by antivirus solutions. The Zeus trojan, also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber is sold as a kit to people willing to pay a price for the latest code known as Zeus v3. It primarily infects a machine through exploiting un-patched versions of Internet Explorer to gain control.

The Zeus trojan has been known to steal user data in the past, but has never been used in such a direct manner. In the US, there are believed to be 3.6 million infected machines by the malware alone, which makes it arguably one of the world’s most dangerous trojans/botnets in terms of potential damage. The Daily Mail has a good article outlining the exact details.

M86 Security Whitepaper (PDF)

Tags: botnet, Eleonore, Gorhax, kit, M86 Security, malware, Phoenix, siberia, trojan, UK, ZBot, Zeus v3, £675000

Conficker: The Proactive Worm Ahead Of The Curve

Kyle — Sun, 08 Aug 2010 19:26:15 +0000

An interesting article over at The Register shows how the now infamous ~6 million strong Conficker botnet/worm stays ahead of the curve in terms of Information Security by staying proactive and paranoid in how it is managed. Although the classification of the worm only goes from A through E, the botnet itself is ever-evolving; creating a nightmare for researchers world-wide in detection and cleansing of infected machines. It is unknown who runs the botnet, but it is known that the technical skill behind its command is very much on the bleeding-edge of security as well as social engineering. For instance, the worm uses simple exploits to infect Windows machines, but it phones home to domain names which can no longer be predicted and shut-down to receive new instructions and updates to the code that infects the machine. It has used scareware in the past to spread as well, such as bogus security software. It has even gone so far as to actually remove or fix other security threats on an infected machine to avoid detection. It constantly stays up-to-date and often mitigates even the newest anti-malware tools designed to remove it.

What makes it so hard to remove is its inability to be cracked. It has used the MD6 cryptographic hash function that was a candidate for the NIST SHA-3 Hash Competition with a 4096-bit RSA key. Even when a buffer-overflow vulnerability was discovered in MD6, the botnet’s owner corrected the implementation within a matter of days. There is an entire working group called The Conficker Working Group tasked entirely to the botnet, which has yet to break-in and take any sort of control away from whoever runs it.

In-depth article at The Register

Tags: botnet, buffer overflow, Conficker, Conficker Working Group, Downadup, Downup, Kido, MD6, nist, RSA, scareware, SHA-3, worm

Snort 2.9 Beta & 2.8.6.1 update released

Kyle — Fri, 30 Jul 2010 04:46:51 +0000

Snort is a registered trademark of Sourcefire, Inc

Sourcefire has been busy as ever keeping their second-to-none Snort® IDS/IPS system at the forefront of network security technology. Yesterday they released an update to the 2.8 family of Snort®, bringing it to version 2.8.6.1. It brings some fixes to the installer package, fixing some issues with detecting false-positives in pattern matching & FTP string format verification, and incorrect handling of empty FTP response codes to data transfer commands commands.

Snort® 2.9 has officially gone Beta. 2.9 includes a myriad of new features such as a robust IPS mode for inline deployments, a new common API for all active response, a new response module that is backward-compatible with resp and resp2 syntax, a new preprocessor for inline deployments to interpret packets the same way a host would, and a new Data Acquisition API that supports multiple packet access methods for better & easier integration with existing infrastructure, updated HTTP Inspect, updated & more robust SMTP preprocessor, the ability to test drop rules for inline mode before implementation, and greatly improved overall IPv6 support. Also new is integration with Intel’s Quick Assist technology.

Find it all and more on the release page over at Sourcefire

Tags: IDS, IPS, IPv6, snort, Sourcefire Inc

Microsoft LNK vulnerability exploit spreading quickly

Kyle — Thu, 29 Jul 2010 05:14:41 +0000

At last writing, the Microsoft LNK vulnerability that was originally used to target SCADA systems by the Stuxnet worm in Iran, India, and Indonesia was slowly gaining speed and the exploit had a proof-of-concept in the open. Now it is accelerating. It is now being picked up by old virus/worm/malware families and incorporated into their arsenals to take new victims; some using social engineering, some using their own unique tactics. While the exploit method itself hasn’t changed, the exploiters using it are vigorously churning out new versions of their software. I think it’s safe to say Madagascar will be closing its ports soon. (Warning: addictive)

New detected malwares are Chymine, Vobfus, Sality, Zeus, and most recently, Downloader-CJX

Technet article on Vobfus

The Register on LNK exploit activity

F-Secure blog entry

Tags: Chymine, LNK, LNK-O, malware, microsoft lnk, SALITY, SCADA, Stuxnet, TrojanDownloader, Vobfus, ZBot

LNK Zero-Day Exploit: Siemens WinCC SCADA systems targeted

Kyle — Mon, 26 Jul 2010 05:20:59 +0000

It turns out that the original targets for the highly-dangerous Windows Shell LNK Zero-Day Exploit were Siemens WinCC SCADA systems with hard-coded credentials used in large infrastructure systems like factories and power grids. Once the attacker had successfully executed the LNK exploit, they accessed the Siemens WinCC program and extracted sensitive data from the database the software uses. It is highly suspected that the exploit was explicitly used for espionage toward Iran and Indonesia at the very least, but by whom or what exact purpose is not clear. What is clear is that the Siemens WinCC software was targeted. The Siemens WinCC software has what is considered one of the top vulnerabilities in software according to CWE/SANS, which is the use of fixed-credentials. This type of vulnerability has been publicly disclosed for over two years and the password to this specific software (2WSXcder) has been publicly known since at least 2008. Siemens was made aware of the issue on July 14 and shortly started to asses the problem and notify customers.

In the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild already actively actively using this exploit according to ESET. Expect to see this exploit to be a bit prolific due to its new and unique nature combined with the relative ineffectiveness of detection/removal systems thus far.

Wired Article on password’s public exposure

ESET Blog on new Zero-day exploit in the wild

Tags: 2WSXcder, Chymine, Ivanlef, july 14, LNK, SCADA, Siemens, siemens wincc, WinCC, zero day

Highly-Dangerous Zero-Day Windows Shell LNK Exploit Discovered

Kyle — Sat, 17 Jul 2010 19:38:22 +0000

This one isn’t good. In fact, it’s downright scary. This exploits a vulnerability in Windows’ handling of LNK files. It affects ALL versions of Windows; at least all currently supported versions. No mention all unsupported versions, but assume they are affected as well. It is already being exploited by the Stuxnet rootkit and most likely many more nasty things very, very soon. Microsoft’s solution in Security Advisory 2286198 is to disable AutoRun completely, disable displaying of icons for programs, and disabling the WebClient service. That means disabling WebDAV and pretty much disabling icons for program links. It currently has an extremely high level of impact due to the simple nature of exploit. It is advised that antivirus is updated immediately (as in yesterday) as well as firewall inspection signatures are kept up-to-date to mitigate this.

US-CERT Vulnerability Note VU#940193

F-Secure Notice & Info

Discovered by VirusBlockAda on June 17

CVE-ID CVE-2010-2568

NVD-ID CVE-2010-2568

Article in The Register

Tags: 2010-2568, 2286198, 940193, cve, lnk file, microsoft, webclient service, Windows, zero day