Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Other
Security Week 18: a Hole in all systems with Intel Core, Apple has taken a certificate from the Trojan, ransomware flooded the planet
Material posted: Publication date: 08-05-2017
About what so long spoke bezopasniki happened. Happened almost ten years ago, and now it became widely known that the Intel Management Engine firmware showed vulnerability. In the announcement from Intel indicated the version from 6.0 to 11.6, and is, at the moment, all versions starting from 2008, platforms for Intel Core first generation.

Those who knows that knows ME, is scary. It can read and write any area of memory and storage, to spy on what is happening on the screen, to send and receive from the network every, ignoring working within the firewall, all with no logs, no trace. According to rumors, even disk encryption bypasses ME without tension. Inhuman useful thing.

No brainer that embedded in the motherboard legitimate hardware backdoor, it is necessary to tighten the screws in the security system that Intel did. IME code, for example, encrypted 2048-bit key. But as usual, something went wrong and now the progressive community knew for certain about the possibility to remotely capture access control functions ME. Under the threat of machine that have implemented AMT, ISM and SBT. Well that is everything on those chipsets under Intel Core.

However, Intel in their alert States that the vulnerability is not on the usual consumersi systems, and it seems like the truth – as if there is no AMT ISM and SBT. But we understand that consumersi product by and large different from corporate gastroectomy in the firmware. So in this case: as already learned by the researchers, to exploit the hole you and ConsumerScan chipset, not remotely, but locally. That is, for example, any malware from userspace quite able to obtain unlimited power over the system.

People in the subject immediately began to remember what someone hinted at the presence of holes in ME last year. Damien Zammit was arguing that the safety of ME based on the secret code that rukastogo analysts is not an intractable problem. And Charlie from SemiAccurate Demerjian generally statedthat researchers have long poked these vulnerabilities in Intel. Hearing about this Intel Threatpost asked a legitimate question that, well, it was, but William moss from Intel in no way confessed. According to him, the company has learned about everything only in March, and now, in may, ready patch. What else would you want from Intel, ungrateful?!

The patch is a good thing. But we understand that in addition to cards manufactured most Intel, there are still a great many other manufacturers boards on their chipsets. For them Intel is not responsible – they took off the patch and forgotten. But will they close the hole in their firmware, these same third parties, and when, is the question. Meantime, it is proposed to disable remote management technologies in CMOS Setup and tear down of system utilities Intel. Well, OK.

Apple has revoked the certificate from Trojan for OS X
News. Last week Check Point caught new Trojan for Macs – OSX/Dok. It is engaged in wiretapping of traffic and is able to fully control all communications on infected machines, including encrypted channels. This is done simple browser proxy slips, which is controlled by hackers, and all traffic goes through it. Previously, the Trojan installs in the system of your root certificate so that the browser trusts the certificate of the proxy server, and determine what HTTPS traffic is intercepted, it becomes difficult.

Distributed OSX/Dok through phishing scams, victims receive letters from a zip file, which is actually an executable file. If a naive Mac user clicks on the file, the Trojan is copied to the /User/Shared and displays a message that the archive is damaged, leave me alone. Then it finds the boot menu AppStore and stands in his place. After rebooting the system shows a window with the notification about the system update and requires a password. While the victim password do not enter anything you do on your computer. And when you enter, Doc gets administrator rights.

To do all this mess, and remain undetected, the Trojan allows a legitimate digital signature Apple developer, or stolen, or obtained specifically for dark deeds. From the point of view of security, he was a real honest Trojan, Apple approved. Well, now Apple has withdrawn the certificate and, Doc will no longer be able to deceive us.

A large part of the malware – ransomware programs
News. Study. Verizon Enterpise produces research on various cyber incidents that the company is investigating the year. Last year they had to deal with 40 thousand incidents, of which 1935 – various hacks. The findings are very disturbing: attack ransomware different species increased by 50%, a substantial contribution was made by Peter with Mike.

Cyberbiological began to run thin. If before a typical cryptologi with grace 1st konarmia breaks on the machine and encrypt all encrypted (and often were sent away because the machine was not anything of value), it is now sitting quietly and looking for really important data. For this, they have mastered Bespalova technique of attack, and even remembered the good old macros for MSWord.

The main problem security Verizon considers insufficiently spread two-factor authentication. In most cases, hackers with enough brute force and phishing to do with the victim whatever they want.



Resident harmless stealth"Ghost"virus. The standard affects. EXE files when they start and the MBR of the hard drive when you run the infected file. Original MBR sector and its continuation saves the last sectors of the logical drive C:, reducing it in the Partition Table (disk) size.

RAM infects only when booting from an infected MBR. Intercepts int 13h, 1Ch, 21h. Depending on its internal counters displays a colorful image reminiscent of a flying airplane, and the phrase: "Execute: mov ax, FE03 / int 21. Key to go on!" if you perform the recommended action on the screen appears the text:

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992. Page 107.


RELATED MATERIALS: Defence and security