Google Analytics – no data validation?

Recently, one of our clients contacted about something rather strange: a „language“ value in his newly Google Analytics setup that stated: „Secret.ɢ You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!“

Of course, we all know that browser headers/requests can be easily altered, but we still wonder why Google allows such values in it’s [non-bot] visitor-related reports. And if it does some data validation / sanitizing or not really.

Google Secret Trump
Google Analytics: Secret.ɢ You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!

P.S. Beware that „secret.ɢ“ differs from „“. Here are the ASCII code values:
Secret.ɢ 115 101 099 114 101 116 046 201 162 111 111 103 108 101 046 099 111 109 115 101 099 114 101 116 046 103 111 111 103 108 101 046 099 111 109

Google Search Suggestions: Mirai

Google Search suggestions show an increase interest and, maybe, demand in Mirai – the piece of software used to create botnets capable of [very large] DDoS attacks. Brace yourself for new strains and attacks.

Mirai Suggestions
Mirai Suggestions

P.S. The part with „mirai botnet tutorial“ is kind of funny. Kind of.

New IoT Malware? Anime/Kami

During August 2016, we came across several devices that were infected with a new malware that we couldn’t identify – for now. It resides in a read-write partition of some CCTV devices (most partitions on these devices are read-only), in a folder called .anime under the name .kami. It seems the attack used hard-coded telnet credentials and then downloaded the now-unknown malware(or maybe created the file via „echo“ commands).

CCTV Malware

We failed to identify it, since it’s truncated – the final file seems to be bigger than the partition it was created on (mounted as /mnt/mtd).

.kami: ERROR: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linkederror reading (Invalid argument)

The MD5 of it:

cdd887f2112b3d87b96154ca492368a8 .kami

For now, all we can recommend is to move devices from DMZ to proper port-forwarding and, where needed, install a router as a firewall in front of them.