Viry a Červi

How a cryptocurrency-destroying bug almost didn’t get reported

Sophos Naked Security - 13 Srpen, 2018 - 18:03
A researcher recently revealed how he found a bug that could have brought the fourth largest cryptocurrency to its knees – and how he was almost unable to report it.

Black Hat Video Exclusive: Mobile APTs Redefining Phishing Attacks - 13 Srpen, 2018 - 16:47
Mike Murray, vice president of security intelligence at Lookout, discusses how mobile is redefining phishing, taking it out of the traditional inbox and into SMS and Facebook messages.
Kategorie: Viry a Červi

US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old

The Register - Anti-Virus - 13 Srpen, 2018 - 16:30
Pen and paper is still king in America election security

DEF CON  Hackers of all ages have been investigating America’s voting machine tech, and the results weren't great.…

Kategorie: Viry a Červi

DEF CON 2018: Voting Hacks Prompt Push Back from Election Officials, Vendors - 13 Srpen, 2018 - 15:56
The Vote Hacking Village invited attendees – including kids as young as six – to hack the voting infrastructure, including ballot machines, a voter database and more.
Kategorie: Viry a Červi

Siri is listening to you, but she’s NOT spying, says Apple

Sophos Naked Security - 13 Srpen, 2018 - 14:55
Apple's working to keep iPhones from eavesdropping on us, through privacy policies, short buffer windows, local storage, and app review.

Feds indict 12 for allegedly buying iPhones on other people’s dimes

Sophos Naked Security - 13 Srpen, 2018 - 14:43
They allegedly hacked into phone accounts, convinced retailers they were who they weren't, and upgraded to shiny new gadgets for small fees.

KeyPass ransomware

Kaspersky Securelist - 13 Srpen, 2018 - 14:21

In the last few days, our anti-ransomware module has been detecting a new variant of malware – KeyPass ransomware. Others in the security community have also noticed that this ransomware began to actively spread in August:

Notification from MalwareHunterTeam

Distribution model

According to our information, the malware is propagated by means of fake installers that download the ransomware module.


The Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

PE header with compilation date

When started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It then deletes itself from the original location.

Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments.

Command line arguments

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.

The list of excluded paths

Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory.

The ransom note

Encryption scheme

The developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the beginning of each file.

Part of the procedure that implements data encryption

Soon after launch, KeyPass connects to its command and control (C&C) server and receives the encryption key and the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON.

If the C&C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the Trojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the victim’s files will be trivial.


From our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks.

GUI of the trojan

This form allows the attacker to customize the encryption process by changing such parameters as:

  • encryption key
  • name of ransom note
  • text of ransom note
  • victim ID
  • extension of the encrypted files
  • list of paths to be excluded from the encryption

Paths excluded from encryption by default

Pseudocode of the procedure that shows the GUI by a keypress

Geography IOC

901d893f665c6f9741aa940e5f275952 – Trojan-Ransom.Win32.Encoder.n

In-flight satellite comms vulnerable to remote attack, researcher finds

Sophos Naked Security - 13 Srpen, 2018 - 14:11
On a journey between Madrid and Copenhagen, researcher Ruben Santamarta decided to use Wireshark to study the aircraft’s in-flight Wi-Fi.

Criminal justice software code could send you to jail and there’s nothing you can do about it

The Register - Anti-Virus - 13 Srpen, 2018 - 12:50
Trade secrets are trumping personal liberty

DEF CON  American police and the judiciary are increasingly relying on software to catch, prosecute and sentence criminal suspects, but the code is untested, unavailable to suspects' defense teams, and in some cases provably biased.…

Kategorie: Viry a Červi

Prank 'Give me a raise!' email nearly lands sysadmin with dismissal

The Register - Anti-Virus - 13 Srpen, 2018 - 11:45
Staffer learns hard way: boss jokes don't mix well with infosec demos

Who, Me?  Welcome again to Who, Me?, where we invite Reg readers to begin the week crossing their fingers it will be better than those of our featured techies.…

Kategorie: Viry a Červi

Former NSA top hacker names the filthy four of nation-state hacking

The Register - Anti-Virus - 13 Srpen, 2018 - 11:11
Carefully omits to mention the Land of the Free

DEF CON  Rob Joyce, the former head of the NSA’s Tailored Access Operations hacking team, has spilled the beans on which nations are getting up to mischief online.…

Kategorie: Viry a Červi

Monday review – the hot 19 stories of the week

Sophos Naked Security - 13 Srpen, 2018 - 11:04
From the unpopular Windows 10 updates and the Snapchat source code leaked on GitHub to the 'unhackable' BitFi hardware that got hacked, and more!

UK cyber cops: Infosec pros could help us divert teens from 'dark side'

The Register - Anti-Virus - 13 Srpen, 2018 - 10:11
Police seek mentor-like techies to help talented kids

UK police are looking to cybersecurity firms to help implement a strategy of steering youngsters away from a life in online crime.…

Kategorie: Viry a Červi

DEF CON 2018: Critical Bug Opens Millions of HP OfficeJet Printers to Attack - 13 Srpen, 2018 - 00:00
A malicious fax sent to an HP Inc. OfficeJet all-in-one inkjet printer can give hackers control of the printer and act as a springboard into an attached network environment.
Kategorie: Viry a Červi

DEF CON 2018: Apple 0-Day (Re)Opens Door to ‘Synthetic’ Mouse-Click Attack - 12 Srpen, 2018 - 19:00
Apple 0-Day allows hackers to mimic mouse-clicks for kernel access, despite mitigations.
Kategorie: Viry a Červi

DEF CON 2018: Hacking Medical Protocols to Change Vital Signs - 12 Srpen, 2018 - 02:00
LAS VEGAS – In recent years there has been more attention paid to the security of medical devices; however, there has been little security research done on the unique protocols used by these devices. Many of the insulin pumps, heart monitors and other gadgets found in hospital rooms use aging protocol to communicate with nurses’ […]
Kategorie: Viry a Červi

DEF CON 2018: Telltale URLs Leak PII to Dozens of Third Parties - 11 Srpen, 2018 - 20:50
Analytics, advertising and other web scripts can capture information housed in user confirmations for flight bookings, food delivery, medical testing and more.
Kategorie: Viry a Červi

Snap code snatched, Pentagon bans bands, pacemakers cracked, etc

The Register - Anti-Virus - 11 Srpen, 2018 - 10:27
New zero-day vendor opens up shop, and more in infosec this week

Roundup  This week, the infosec world descended on Las Vegas for BlackHat and DEF CON to share stories of bug hunting, malware neural nets, hefty payout offers, and more.…

Kategorie: Viry a Červi

The off-brand 'military-grade' x86 processors, in the library, with the root-granting 'backdoor'

The Register - Anti-Virus - 10 Srpen, 2018 - 23:04
Dive into a weird and wonderful 'feature' of Via's embedded hardware chips

Black Hat  A forgotten family of x86-compatible processors still used in specialist hardware, and touted for "military-grade security features," has a backdoor that malware and rogue users can exploit to completely hijack systems.…

Kategorie: Viry a Červi

Chris Valasek and Charlie Miller: How to Secure Autonomous Vehicles - 10 Srpen, 2018 - 23:03
Famous car hackers Chris Valasek and Charlie Miller returned to Black Hat to discuss how manufacturers can secure autonomous vehicles.
Kategorie: Viry a Červi
Syndikovat obsah