The Hacker News — Cyber Security, Hacking, Technology News

"Due to the special RAM disk feature of Android devices’ boot partition, all current mobile antivirus products in the world can’t completely remove this Trojan or effectively repair the system."

"According to our statistics, as of today, there’re more than 500, 000 Android devices infected by this bootkit in China in last six months.

Like Bitcoin, There are numerous other cryptocurrency similar in nature, including MasterCoin, ProtoShares, Litecoin, Peercoin, BitBar and many more.

One of them is Primecoin (sign: Ψ; code: XPM), a peer-to-peer open source cryptocurrency that implements a scientific computing proof-of-work system. Unlike Bitcoin or other virtual currencies, only Primecoin provides a proof of work that has intrinsic value. It generates a special form of prime number chains, known as ‘Cunningham chains & bi-twin chains’ and has a real world importance in mathematical research.

Worldwide famous RSA Encryption basically uses two prime numbers for generating a RSA key pair. If you are able to factorize the public key and find these prime numbers, you will then be able to find the private key. Thus, the whole Security of RSA encryption is based on the length of prime numbers. So, Primecoin plays a great role for crypto researchers to get large... and a very large number of Primes.

Like other cryptocurrency miners, Primecoin miners are also available and in simple terms, just put your computer to work to find prime numbers chain and make money.

After Bitcoin, the increasing public attention of other cryptocurrency did not go unnoticed by the Cyber criminals who have begun unleashing Primecoin mining malware.

Mehrdad Yazdizadeh, a security researcher from antivirus firm 'Panda Security' told The Hacker News that he has found few malicious Primecoin miners available on the Internet for Download from some Chinese websites and Torrents.
"Primecoin miners are written in python and other scripting languages are using a variety of methods to infect the users' systems i.e. Brute-forcing, privilege escalation, modify SQL tables". He said.

Those infected systems can be used as a botnet network to perform further attacks. Another interesting feature of this malware is the ability to host SQL server through XP_cmdshell of MSSQL.

"On execution, the malware will inject the SQL server to cmd.exe, svchost.exe, explorer.exe and similar process to hide itself as rootkits" he added.

Users affected by this malware will experience abnormally high CPU usage on their computers as a result of the infection.

Further analyses showed that the malware creates a process that call “sqlservr.exe”, pointing to another file i.e. “primecoin.conf”, which contains the credential and the IP address of the malware's master to communicate.

"Even if a user will delete sqlservr.exe or the conf folder, it will recover itself again and again. Also, malware is capable to enable the windows Guest account automatically" he said.

He found thousands of login (mostly failed to login) activities in a infected machine via the windows event, seems that Malware is facilitating the attacker to brute force the system user accounts for privilege escalation.

He collected some of the attacker's IP addresses from where the brute-force attack was triggered:

"I saw an attempt was made to reset an account's password. It tried to download more malicious files from other servers, " he said.

According to the virus total report currently almost none of the Antivirus products are able to detect it:

According to a new report, the world’s biggest personal computer maker, Chinese firm Lenovo Group Limited has reportedly been banned from supplying equipment for networks of the intelligence and defense services of Australia, the United States, Britain, Canada and New Zealand, due to hacking concerns.

Sources from intelligence and defense entities in the UK and Australia have confirmed the ban introduced in the mid-2000s after intensive laboratory testing of its equipment. In 2006 it was disclosed that the US State Department had decided not to use 16,000 new Lenovo computers on classified networks because of security concerns.

Serious backdoor vulnerabilities in hardware and firmware were apparently discovered during the tests which could allow attackers to remotely access devices without the knowledge of the owner.

Lenovo, headquartered in Beijing, acquired IBM’s personal computer business in 2005, after which IBM continued to sell servers and mainframes that were accredited for secret and top-secret networks. GCHQ, MI5, MI6, the Australian Security Intelligence Organization, the Australian Secret Intelligence Service, and the NSA were all named as participating in the Lenovo ban.

Hardware backdoors are very hard to detect if they are well-designed, according to James Turner, an IT security analyst at IBRS, a technology research firm.

In the UK meanwhile, Huawei’s cyber-security practices are currently under review from the government, after an Intelligence and Security Committee report said the company could pose a significant threat to the UK's telecommunications industry if its self-policing security policy remained unchecked.

Early 2012 ESET company a mysterious malware, dubbed the Avatar rootkit (Win32/Rootkit.Avatar), advertised in the underground forums by Russian cyber crime.

"We present you here previously announced product. In connection with work on other projects, we moved the release date for the public from May to February 2013th 2012go.Now nuclear rootkit AVATAR is available for rental."

Despite the malware was described months ago it was not found and published until now, in March ESET researchers detected two droppers with different C&C servers and having different compilation time stamps as showed in the following pictures:

The Avatar rootkit appears very sophisticated, it uses two different infection techniques, the first in the dropper so as to bypass detections by HIPS, and the second one in the rootkit driver to allow the malware to be alive after system reboot, the instance detected works only on x86 systems.

The 2 level dropper for Avatar rootkit works in conjunction, the first one implements LZMA decompression for the second level dropper. Driver module and second level dropper are unique in every instance of malware thanks to a random names generator names for mutexes/events in the first level dropper.

To the second level dropper is assigned the function of escalate privilege on target system, the dropper uses two different techniques, the exploitation of the MS11-080 vulnerability with code as a public exploit from Metasploit Framework with minor changes, and COM Elevation (UAC whitelist).

The following a diagram that shows the process implemented by dropper:

Most interesting part of the exploit code of Avatar rootkit is the steps taken after exploitation, kernel-mode shellcode is in fact executed to load malicious driver, the rootkit driver is not stored on the hard drive and loads only from a memory region. 

The Avatar rootkit implements a technique for loading the driver by system driver infection that appeared very effective for bypassing victim’s defense, and allows the loads other kernel-mode modules exploiting the malicious system driver.

"In order to perform its infection, Avatar randomly chooses a driver and checks its name against a blacklist that varies for every Windows versions." "The Avatar rootkit driver is able to infect several system drivers without changing the original driver’s file size."

Once loaded the Avatar rootkit driver, the malicious code executes an algorithm for infecting system drivers so as to survive after reboot, the malware is also able to detect the presence of a virtual machine environment thanks to a sophisticated technique that query BIOS to check for some specific strings related to principal machines available on the market such as VirtualBox and VMware.

The malware uses a hidden file system to store the user-mode payload module and also additional files, all the data are encrypted using a custom symmetric cipher. The hidden file storage is also used by Avatar rootkit to store additional user-mode and kernel-mode modules that malware can download and execute. Avatar rootkit doesn't store malicious modules in any standard NTFS storage, except for infected system drivers.

"Of course, this means the initial infection can be the starting point of a variety of malicious activities based on the modules that deployed. In our case the payload component avcmd.dll was injected into svchost.exe system process which started communicating with C&C IP addresses stored in the configuration file. "

Another interesting feature implemented by authors of the rootkit in the protection of communications with the command center with a custom encryption algorithm which output is base64-encoded, Avatar rootkit has an additional way of communicating with the C&C server searching for messages in Yahoo groups using special parameters. The technique is not new and is very efficient to protect the malware over sinkhole attempts of security firms, because information about C&C’s domains is encrypted using an RSA asymmetric algorithm.

"The group description is encrypted with an RSA algorithm and a 1024-bit private key. It is possible to decrypt this data with the public key stored in the configuration file. We suppose this information is to be found in the encrypted message used for returning control for a botnet without an active C&C."

But Avatar rootkit appears a very complex and articulated project, it is accompanied by a list of API for developing additional components based on the Avatar Runtime Library, a special SDK for developing additional user-mode components which allow communication with the Avatar rootkit driver.

Win32/Rootkit.Avatar is considerable a sophisticated rootkit family having many interesting features to avoid detection by security software, due this reason security experts believe that the agent has been developed for long term infection by the system executing the attack.

Avatar rootkit may hold many surprises in the next future.

The malware downloads itself into the folder "%windir%\Installer\", where is a unique number that identifies your computer, for example "%windir%\Installer\{df3d9e18-342c-8c07-8dab-13e76d8b4322}".

Moreover, Some variants of Trojan:Win32/Necurs can inject code into all running processes. The injected code is known as a "dead byte"; certain system processes will cause your computer to restart if they are injected with this code.

Strong anti-security features are provided by the Necurs driver. The driver has a very clear goal: protecting every Necurs component from being removed.

This example shows that malicious software is growing more sophisticated and is starting to include various components that serve individual purposes. These threats may target various versions of operating systems or even different software platforms.