IoT Malware advances

A new strain (as long as December 2016 can be called new) has been spotted on GitHub that combines both a standard telnet scanner and also MIRAI. It has been uploaded here:https://github.com/geo93033/u. In the header(s) you can find some credentials: Xmpp: [email protected] Twitter: @P2PBOTNET Instragram: @Rebirth.c Skype: b1narythag0d and Skype: …

Next level: updating devices with malware-infected firmware?

A new article that appeared on motherboard.vice.com (Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers ) talks about a new type of attack: devices that are being abused via their update mechanism to host a malware-infected (let’s call it malware for now) firmware.

Impossible? Not really. Of course, some of the problems that might appear are: How do you pair the device with the ”right” firmware? How do you rebuild the malware-infected firmware?

But the most important question: doesn’t the device (or the manufacturer) use a rather strong security mechanism to certify that the firmware is indeed legit? If it does, maybe it’s time to update it. If not… well, trouble ahead!

Anyway, it’s not really a case of ”trash the device”, rather a case of painfully (and costly) ways to identify and disinfect it.

But… does this look like the dawn of ransomware-vulnerable-devices? Yes, sure it does. Just wait for it… or better not, and be prepared.

Google Analytics – no data validation?

Recently, one of our clients contacted about something rather strange: a ”language” value in his newly Google Analytics setup that stated: ”Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!”

Of course, we all know that browser headers/requests can be easily altered, but we still wonder why Google allows such values in it’s [non-bot] visitor-related reports. And if it does some data validation / sanitizing or not really.

Google Secret Trump
Google Analytics: Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!

P.S. Beware that ”secret.ɢoogle.com” differs from ”secret.google.com”. Here are the ASCII code values:
Secret.ɢoogle.com: 115 101 099 114 101 116 046 201 162 111 111 103 108 101 046 099 111 109
secret.google.com: 115 101 099 114 101 116 046 103 111 111 103 108 101 046 099 111 109

Google Search Suggestions: Mirai

Google Search suggestions show an increase interest and, maybe, demand in Mirai – the piece of software used to create botnets capable of [very large] DDoS attacks. Brace yourself for new strains and attacks.

Mirai Suggestions
Mirai Suggestions

P.S. The part with ”mirai botnet tutorial” is kind of funny. Kind of.

Attention! ”Live HTTP Headers” – a Chrome extension that tracks clicks

One of our clients has reported unusual behavior while using this extension to track / develop a website and the associated webapp.

Seems like the extension has been modified to inject tracking [that’s the least we found out from our quick investigation]. A part of the code used can be found here:
https://gist.github.com/mala/e87973df5029d96c9269d9431fcef5cb

We recommend anyone using this extension to uninstall it and carefully investigate.