Jul 11 2012

How DNSChanger Malware Works

DNSChangerDNSChanger is malicious software (malware) that changes a user’s Domain Name System (DNS) settings, in order to divert traffic to unsolicited and potentially illegal sites.

Beginning in 2007, the cyber ring responsible for DNSChanger operated under the company name “Rove Digital” and used the malware to manipulate users’ Web activity by redirecting unsuspecting users to rogue DNS servers hosted in Estonia, New York, and Chicago. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

FBI has since seized the rogue DNS servers and the botnet’s command-and-control (C&C) servers as part of “Operation Ghost Click” and the servers are now under their control. To assist victims affected by the DNSChanger, the FBI obtained a court order authorising the Internet Systems Consortium (ISC) to deploy and maintain temporary legitimate DNS servers, replacing the Rove Digital malicious network. As mentioned earlier, this is by no means a permanent solution and does not remove malware from infected systems; it just provides additional time for victims to clean affected computers and restore their normal DNS settings. According to the court order-which expired on 9 July 2012-the clean DNS servers will be turned off and computers still infected by DNSChanger malware may lose Internet connectivity.

To put this into perspective, DNS is an Internet service that converts user-friendly domain names into the numerical IP addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website you are intending to visit. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration.

DNS Work DNSChanger Work
How DNS Works How DNSChanger Works

With the ability to change a computer’s DNS settings, malware authors can control what websites a computer connects to on the Internet and can force a compromised computer to connect to a fraudulent website or redirect the computer away from an intended website. To do that, a malware author needs to compromise a computer with malicious code, which in this case is DNSChanger. Once the computer is compromised, the malware modifies the DNS settings from the ISP’s legitimate DNS server’s address to the rogue DNS server’s address, in this case, advertisement websites.

A task force has been created, called the DNSChanger Working Group (DCWG), to help people determine if their computers have been compromised by this threat and to also help them remove the threat.

Jul 10 2012

Anonymous Hack Hands WikiLeaks 2 Million Syrian Emails

Anonymous WikiLeaksHacktivist group Anonymous is claiming responsibility for an attack on the computer systems of the Syrian government and its evil overlord Bashar Assad thanks to which over two million emails ended up in the hands of whistle-blowing site WikiLeaks.

As of last Thursday, the site began drip-feeding sections of the ‘Syria Files’ to its selected media partners, and given there are a total of 2.4m emails from 680 separate domains going all the way back to August 2006, it could take some time.

Anonymous revealed in a press release that its Op Syria team – comprising members of Anonymous Syria, AntiSec and sometime collaborator the Peoples Liberation Front – first breached multiple domains and servers in the war-torn country back in February.

So large was the data available to be taken, and so great was the danger of detection (especially for the members of Anonymous Syria, many of whom are ‘in country’) that the downloading of this data took several additional weeks,” the release said.

Not knowing quite what to do with the huge treasure trove of information it had snarfed, the group handed it over to WikiLeaks, the organisation it had partnered with before in the hack of private intelligence firm Stratfor.

There were no details of exactly how the attack took place but given the usual MO of Anonymous, you can expect it took advantage of some pretty obvious web application vulnerabilities.

The hacktivist group was also keen to portray itself as a force for good offline as well as on, claiming six of its members carried medical supplies across the border and that it has been helping local activists and protesters avoid surveillance efforts by the Assad regime.

Anti-government activists in Syria have been targeted by phishing campaigns and spyware for months, most recently the BlackShades Trojan which spreads via compromised Skype accounts.

Jul 09 2012

Hackers Steal Keyless BMW in 3 Minutes

On the car forum 1Addicts, a one-time poster by the name of “stolen1m” uploaded the video showing how his BMW was stolen in under three minutes. He suspects the thieves used devices that plug into the car’s On-Board Diagnostic (ODB) port to program a new keyfob.

In this particular video, there are a few security flaws that the hackers are exploiting simultaneously: there is no sensor that is triggered when the thieves initially break the window, the internal ultrasonic sensor system has a “blind spot” just in front of the OBD port, the OBD port is constantly powered (even when the car is off), and last but not least, it does not require a password. All of this means the thieves can gain complete access to the car without even entering it.

BMW has acknowledged that there is a problem, but is downplaying this particular issue by saying the whole industry struggles with thievery. This is unfortunate given that the evidence seems to point towards BMWs being specifically targeted. Whether that’s because they are luxury cars or because they have a security loophole doesn’t matter: the point is BMW needs to do something about it.

If you want to protect yourself from this hack, look into how you can disable the OBD port on your BMW by disconnecting the corresponding wires. If you or your dealer needs it, you can always reenable it. Alternatively, you can try to further secure the port in your own custom way.

Jul 05 2012

Android Clickjacking Rootkit Demonstrated

ClickJackingA team of security researchers have demonstrated how a security flaw in Android 4.0.4 can be exploited by a clickjacking rootkit.

The research team is lead by North Carolina State University professor Xuxian Jiang, who succeeded in developing a proof-of-concept rootkit that attacks the Android framework as opposed to the underlying operating system kernel. The researchers contend that such a rootkit could potentially be downloaded with an infected app and be used to manipulate the smartphone.

In the video, the demonstrator was able to hide applications on the device, as well as get them to launch when icons for other applications are clicked. If downloaded with an infected application, the rootkit could for example hide the smartphone’s browser and replace it with a browser that looks exactly the same but actually steals all of the user’s information.