7 Year Malware | TechSNAP 150

7 Year Malware | TechSNAP 150

The Mask, an advanced persistent threat is revealed, a slew of various home router models are actively being exploited, we’ll share the important details.

Plus some routing basics explained, and much much more.

On this week’s TechSNAP

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Kaspersky discovered “The Mask” APT

  • We got some hints about Careto (also know as “The Mask” or “The Masked APT”) a few weeks ago, and speculation suggested that the unusual native language of the attackers was Korean
  • In an even bigger surprise, it turns out the attackers are Spanish speaking
  • the Spanish-speaking attackers targeted government institutions, energy, oil & gas companies and other high-profile victims via a cross-platform malware toolkit
  • Full Research PDF
  • The APT has been going on since 2007 or earlier
  • “More than 380 unique victims in 31 countries have been observed to date”
  • “What makes “The Mask” special is the complexity of the toolset used by the
    attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32 and 64 bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS)”
  • “The Mask also uses a customized attack against older versions of Kaspersky Lab products to hide in the system, putting them above Duqu in terms of sophistication and making it one of the most advanced threats at the moment. This and several other factors make us believe this could be a nation state sponsored campaign”
  • “When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations”
  • “The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government level encryption tools”
  • “Overall, we have found exploits for Java, Flash SWF (CVE-2012-0773), as well as malicious plugins for Chrome and Firefox, on Windows, Linux and OS X. The names of the subdirectories give some information about the kind of attack they launch, for instance we can find /jupd where JavaUpdate.jar downloads and executes javaupdt.exe”
  • “CVE-2012-0773 has an interesting history. It was originally discovered by French
    company VUPEN and used to win the “pwn2own” contest in 2012. This was the first
    known exploit to escape the Chrome sandbox. VUPEN refused to share the exploit
    with the contest organizers, claiming that it plans to sell it to its customers”
  • “A Google engineer offered Bekrar (of VUPEN) $60,000 on top of the $60,000 he had already won for the Pwn2Own contest if he would hand over the sandbox exploit and the details so Google could fix the vulnerability. Bekrar declined and joked that he might consider the offer if Google bumped it up to $1 million, but he later told WIRED he wouldn’t hand it over for even $1 million.”
  • This suggests that the threat actor may be a government
  • However, Chaouki Bekrar denies the VUPEN exploit was used
  • “Several attacks against browsers supporting Java have been observed.
    Unfortunately, we weren’t able to retrieve all the components from these attacks, as
    they were no longer available on the server at the time of checking”
  • Also exploits CVE-2011-3544 against Java
  • Additional Coverage

Linksys Router Malware

  • Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.
  • Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher.
  • A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.
  • Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024.
  • The attack begins with a remote call to the Home Network Administration Protocol (HNAP), an interface that allows ISPs and others to remotely manage home and office routers. The remote function is exposed by a built-in Web server that listens for commands sent over the Internet.
  • Typically, it requires the remote user to enter a valid administrative password before executing commands, although previous bugs in HNAP implementations have left routers vulnerable to attack.
  • After using HNAP to identify vulnerable routers, the worm exploits an authentication bypass vulnerability in a CGI script.
  • Infected devices are highly selective about the IP ranges they will scan when searching for other vulnerable routers. The sample Ullrich obtained listed just 627 blocks of /21 and /24 subnets.
  • The discovery comes a week after researchers in Poland reported an ongoing attack used to steal online banking credentials, in part by modifying home routers\’ DNS settings.
  • The phony domain name resolvers listed in the router settings redirected victims\’ computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service; the sites would then steal the victims\’ login credentials.
  • The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers.
  • Two days after this article was published, Linksys representatives issued the following statement:

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware.
+ Additional Coverage Internet Storm Center
+ These are not the only routers that have problems
+ Home Routers pose the biggest threat to consumer security
+ An old backdoor from 2005 was found in brand new Cisco home “Gigabit Security Routers”
+ As the covered last year, 40-50 million routers have uPnP flaw
+ Yesterday, researchers found a stack overflow bug in Linksys WRT120N routers
+ The new protocol that proposes to make “security” easier on the next generation of home routers may cause more harm than good
+ Asus Routers are also vulnerable including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R


Round Up:

Question? Comments? Contact us here!