Kategorie: <span>IT Security News&Updates</span>

A new IoT malware loader: „privatgodgg.sh“

As usual, it targets ARM-based devices and it tries to download other files (privntpd1, privsshd1, privopenssh1, privbash1, privtftp1, privwget1 etc) via curl or wget (whichever is available on the infected devices). As usual, we suspect this loader to be injected via unauthenticated telnet/hard-coded credentials – although it could be a …

IoT Malware advances

A new strain (as long as December 2016 can be called new) has been spotted on GitHub that combines both a standard telnet scanner and also MIRAI. It has been uploaded here:https://github.com/geo93033/u. In the header(s) you can find some credentials: Xmpp: [email protected] Twitter: @P2PBOTNET Instragram: @Rebirth.c Skype: b1narythag0d and Skype: …

Gr1N – a new malware that also targets IoT devices?

While doing some investigations for one of our clients, we came across a (new) malware strain. After some quick investigations, we found out 2 sources (both in C++, a client and a server). They are signed with: // Client.c Made By @Gr1n1337 – // DeepWeb Fourms User Name – Gr1n …

Next level: updating devices with malware-infected firmware?

A new article that appeared on motherboard.vice.com (Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers ) talks about a new type of attack: devices that are being abused via their update mechanism to host a malware-infected (let’s call it malware for now) firmware.

Impossible? Not really. Of course, some of the problems that might appear are: How do you pair the device with the „right“ firmware? How do you rebuild the malware-infected firmware?

But the most important question: doesn’t the device (or the manufacturer) use a rather strong security mechanism to certify that the firmware is indeed legit? If it does, maybe it’s time to update it. If not… well, trouble ahead!

Anyway, it’s not really a case of „trash the device“, rather a case of painfully (and costly) ways to identify and disinfect it.

But… does this look like the dawn of ransomware-vulnerable-devices? Yes, sure it does. Just wait for it… or better not, and be prepared.

Google Analytics – no data validation?

Recently, one of our clients contacted about something rather strange: a „language“ value in his newly Google Analytics setup that stated: „Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!“

Of course, we all know that browser headers/requests can be easily altered, but we still wonder why Google allows such values in it’s [non-bot] visitor-related reports. And if it does some data validation / sanitizing or not really.

Google Secret Trump
Google Analytics: Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!

P.S. Beware that „secret.ɢoogle.com“ differs from „secret.google.com“. Here are the ASCII code values:
Secret.ɢoogle.com: 115 101 099 114 101 116 046 201 162 111 111 103 108 101 046 099 111 109
secret.google.com: 115 101 099 114 101 116 046 103 111 111 103 108 101 046 099 111 109

Google Search Suggestions: Mirai

Google Search suggestions show an increase interest and, maybe, demand in Mirai – the piece of software used to create botnets capable of [very large] DDoS attacks. Brace yourself for new strains and attacks.

Mirai Suggestions
Mirai Suggestions

P.S. The part with „mirai botnet tutorial“ is kind of funny. Kind of.

ArduWorm: A Functional Malware Targeting Arduino Devices

Think your Arduino Yun is safe on the Internet? Well, think again! Abstract—The Internet of Things (IoT) is a growing market which provides several benefits for industry, governments and end users. However, the increasing use of embedded and pervasive devices introduces new vulnerabilities in the network. In the last years, …

Attention! „Live HTTP Headers“ – a Chrome extension that tracks clicks

One of our clients has reported unusual behavior while using this extension to track / develop a website and the associated webapp.

Seems like the extension has been modified to inject tracking [that’s the least we found out from our quick investigation]. A part of the code used can be found here:
https://gist.github.com/mala/e87973df5029d96c9269d9431fcef5cb

We recommend anyone using this extension to uninstall it and carefully investigate.