Wednesday, January 20, 2010

Apology virus writers

For someone who retired a year remembered for the financial crisis for someone - the epidemic of influenza. For me the year was unusually rich in various kinds malvar as a template completely, and really worthwhile that wrenched me out of the usual cycle of events. In any case, it's time to take stock of "work" virus in 2009 and make projections for the future.

To begin, as usual, with the unpleasant: the myth of the invincibility of computers from Apple, and, respectively, and their operating system (for individuals who spent the past ten years in a bomb shelter, do remark - an OS for Macintosh computers called MacOS) shattered. In 2009 was created the first "apple" botnet, discovered multiple vulnerabilities in the operating system itself, and in the third-party applications.

Sami attack, I'll say straight, does not represent anything interesting - Unix architecture is conservative, and, if desired, players can browse the Internet, you can easily rewrite the exploit of five years ago under the "modern" MacOS. If to look to the past, we must natknemsya the vulnerability in FreeBSD, discovered as much in 2005. And now, four years later, this error is found in MacOS 10.5.6. Multiple integer overflow allows an attacker with the help of special system calls, i386_set_ltd and i386_get_ltd, increase the privileges of a local user computer. Vulnerable to this scourge were only the owners of Macintosh processor companies Intel: in fact, as we know, the forerunner of Pentium chips in their virtual memory according to two descriptors table, or rather - LDT and GDT.

Generally in the world there are three types of tables of descriptors, namely: the interrupt descriptor table, the local descriptor table and global descriptor table. Local Table (LDT - Local Descriptor Table) is in itself a gateway problem, challenges and segment descriptor. Each segment is unavailable problem, if its description in no GDT, or in the LDT, since the local descriptor table is described in the global descriptor table (GDT - Global Descriptor Table). Accordingly, employing the above-described function i386_get_ltd and reporting in the description (see listing), the call option is the maximum possible size, we are able to copy the memory dump of the kernel to user environment.

int i386_get_ltd (int start_sel,
union descriptor *descs, int num_sels);

It's funny, because in the past year the company Intel failures toppled a clod: the scandal of unfair competition from AMD, a relatively weak start Core i7 (but it seems to me that peak sales of the new processor will occur in late spring of next year - Windows 7 at this time will have time to win significant part of the consumer market, and the requirements of the OS, though democratic, consistent with the relatively small number of personal computers). And all would be nothing, if in 2008, Russia's famous hacker Chris Kasperski has not provided the public vulnerability in absolutely all the processors the company. (And Chris, among other things, lad - in addition to the above-described opening, he found a really obscene number of errors down to a fundamental error in the DNS (!)) On its report on HITB not write except that lazy - really, how about if even processors contain errors? And, according to Chris, half of them are not going to fix the company.

Linux, surrounded by the aura of inaccessibility, as was the length and breadth investigated. Brad Spangler (Brad Spengler) found a vulnerability in the kernel module grsecurity, available in kernels 2.6.30 and below. I wonder these things event for two reasons: first and most obvious - is not often we are pleased with vulnerabilities in the most proletarian OS (this is due to the fact that Linux-based distributions are not as common as a family of operating systems Windows, and attention, of course, they paid much smaller, with only a narrow circle of specialists), and second - it is virtually unnoticeable mistake, because Brad, on his own admission, found it quite by accident, when studied the code, digging in a completely different direction.

Bug found in dereferencing pointer to function tun_chr_pool () file / drivers / net / tun.c, and is to initialize some variable sk (see listing), which can be set equal to zero. Then it is checked by the compiler so that if it really is zero, then the assembly error is returned to us. In the process of optimizing GCC calmly carve a block if (! Tun), considering that the value of this variable has long been given that would allow an attacker to read and write data at 0h000000000.

struc sock *sk = tun->sk;
return POLLER //here the compiler displays an error message

But at the time, deviate from the correct operating systems and look sensational in the early years of the worm Conflicker (alias downadup, kido, etc), which for four days, according to statistics, has infected 10 million (!) Computers. In terms of virus writers, the code is, quite frankly, does not shine, but the creators of non-standard approach to the problem of propagation of the worm, his original method of protection and interaction with the "masters" certainly deserve respect.

Microsoft Corporation in October 2008 released a patch covering the buffer overflow MS08-067 in the service "Server". Naturally, people who regularly update the operating system became the first victims of the attack. Also, do not surprise me, and that pockets of the epidemic occurred in the post-Soviet countries - in fact, as you know, we absolutely can legally buy any version of Windows for ten thousand rubles, thereby depriving themselves of the opportunity to receive critical updates in a timely manner. The worm took advantage of this well - he sent to the computer user a specially crafted RPC-request, causing a buffer overflow in the function call wcspy_s library netapi32.dll. Next - matter of technology: the computer running the code-loader, successfully merging malvar. Next, the worm through the interception of API-calls, responsible for contacting DNS, blocking almost all known antiviral URL (containing the title of sophos, kaspersky, nod, avira, etc.) And spread itself to other computers connected private intranet (if the victim had a ) by brute force the password to the standard system ball $ ADMIN, then calmly sends itself on unsuspecting users.

Longtime reception viruses to external flash-drives has also changed - downadup obfusifitsiroval file autorun.inf, filling his "garbage" that allowed the successful pass defense most antiviruses. Excess "code" slightly increases file size, allowing the invisible stuff there a single line that launches the malicious code on the user's machine.

Most virus writers to admit a serious mistake, rigidly fixing the IP address of the domain, where the worm has to send all harvested information. Creator conflicker entered originally, namely - to teach a worm to use 250 different domain names, of course, not written in the body of the virus. Advance can not say exactly where the worm sends the information: a specific algorithm, depending on the current date, generates the name of the new management of domains, where and sent later. There he is, as follows: first, the worm goes straight to (or any other search service), which receives the current day and month. At the same time generated a list of domains where the worm will download additional files required for him to continue "life". As seen, the worm uses a completely standard methods, and one can only wonder, how did not think about before.

Also year was successful and the beautiful break-ins. Known resources Runet been as much to two burglaries, which resulted in the loss of confidential information. The attacker took advantage of an error in the currently fashionable flash-applications, and then successfully "merged" the order of 150 thousand logins and passwords from users register an account. And earlier this year a resource to all who wish to quietly spread the Trojans again stealing e-mail-address of the victim. What to do with such a huge database of email addresses, to explain, I think not.

In my opinion, in the near future, the main target for hackers, "hatskerov" and other representatives of "progressive youth" (on how to write virus serious uncle, was written above) will be mobile phones. The development of wireless access systems (Well, tell me, who now surprise wi-fi or 3G? And in the near future we will be pleased with wimax and more ...), and weak protection of communicators carelessness of users who think that "mobile phone" can not hack, will be a good to rise. Moreover, about 46% of references to the notorious "VKontakte" is generated from mobile platforms. A recently established botnet of Apple iPhone proof of this. Time to buy Kaspersky Antivirus Mobile or other anti-virus solution for handheld devices, to redouble the vigilance (read: be paranoid), and carefully monitor their phone, checking it for suspicious content.

As an epilogue to tell you a most amusing story: Russia (the first time in the world!) Found a Trojan in the ATM (yes, you are not mistaken, it was at the ATM), which would collect sensitive information about users. How it all came to an attacker, and has remained a mystery, but, taking into account the fact that the ATM - is a kind of safe, that is accessible only by representatives of the bank employees and the manufacturer's tech support, it can be concluded that there was insider, intimately familiar with original architecture computer (the code was perfectly sharpened under the platform, suggesting the presence of certain specifications), and transmit all the collected information to the attacker. So be vigilant, paranoia in our time no one hurt.

"Get Money for Clicks" - Fastest Growing Domain Parking Company in the World.

No comments:

Post a Comment