Profile cover photo
Profile photo
Lutz Wolf
72 followers
72 followers
About
Lutz's posts

Post has attachment

Post has attachment
Description and some code for packing animations into a single PNG file and some JSON data that can be played back in most browsers:
http://www.sublimetext.com/~jps/animated_gifs_the_hard_way.html

Post has attachment

Post has shared content
More on my ongoing chase of #badBIOS malware. It's been difficult to confirm this as I'm down to a precious few reference systems that are clean. I lost another one yesterday confirming that's simply plugging in a USB device from an infected system into a clean one is sufficient to infect. This was on a BSD system, so this is definitely not a Windows issue.- and it's a low level issue, I didn't even mount the volume and it was infected. Could this be an overflow in the way bios ids the drive?

Infected systems seem to reprogram the flash controllers on USB sticks (and cd drives, more on that later) to attack the system (bios?). There are only like ten different kinds of flash controllers used in all the different brands of memory sticks and all of them are reprogrammable, so writing a generic attack is totally feasible. Coincidentally the only sites I've found with flash controller reset software, are .ru sites, and seem to 404 on infected systems.

The tell is still that #badBIOS systems refuse to boot CDs (this is across all oses, including my Macs) there are other more esoteric problems with partition tables and devices on infected systems. Also USB cd drives are affected, I've bricked a few plugging and unplugging them too fast (presumably as they were being reflashed) on infected systems. Unsafely ejecting USB memory sticks has also bricked them a few times on #badBIOS systems for clean systems, though mysteriously they are "fixed" and reset by just simply replugging them into an infected system. Extracting data from infected systems is VERY tricky. Yesterday I watched as the malware modified some files on a cd I was burning to extract data from an infected system, don't know what it was yet, I have to set up a system to analyze that stuff.

On windows my current suspicion is that they use font files to get up to some nastiness, I found 246 extra ttf and 150 fon files on a cleanly installed windows 8 system, and three stand out, meiryo, meiryob, and malgunnb, that are 8mb, instead of the 7 and 4mb sizes one would expect. Unfortunately ttf files are executable and windows "previews" them... These same files are locked by trusted installer and inaccessible to users and administrators on infected systems, and here comes the wierd part, they mysteriously disappeared from the cd I tried to burn on a completely new system (a laptop that hadn't been used in a few years) that my friend brought over which had just been freshly installed with win 8.1 from msdn, with the install media checksum verified on another system.

I'm still analyzing, but I'm certain we'll ALL have a large problem here. I have more data and info I can share with folks that are interested.

Post has attachment

Post has shared content
Hey all! I've managed to develop a Metasploit module that exploits the addJavascriptInterface issue! I've successfully demonstrated the attack by performing a MITM attack against Fruit Ninja! Remember, MITM is possible through a plethora of means (as +mike kershaw metioned in his recent post), such as DNS hijacking/spoofing/poisioning, ARP spoofing, WiFi injection, backbone trickery, base stations, and more. Although it only gives a shell as the application UID, it could be paired with a privilege escalation issue to yield a remote root shell (such as from one of
+Justin Case or +Dan Rosenberg's exploits).

Developing this module required a bunch of effort in back-end MSF development (a module-extensible HTTP proxy) so it may take a while to get into upstream. Hopefully I can wrap up a few of the remaining loose ends and release it next week. If you'd like to beta test, email addjsif [at] qoop.org.

There's a screeny of the module in action below.

PS. Working on this has me absolutely frightened of all the traffic coming out of my device!
Photo

Post has shared content

Post has attachment

Post has attachment
Wait while more posts are being loaded