Tag Archives: malware

Welcome to The Internet of Compromised Things – How not to be hacked, routers

squid eating a router!!!

A good write-up by Jeff addresses a problem that has existed for several years, but only recently is starting to get malicious. A few hackers demonstrated how the software running common internet modems and routers were vulnerable to attack. A few good-minded-souls even wrote code to scan the internet; find them; and exploit them to install the update.

Of course, there were those who used those same routers to mine for crypto-currency and others who created attack bot networks. The article highlights how these unprotected devices are hacked and allow for anyone passing traffic through them to be infected with malware on their machine.

A good article with rather excellent tips for mitigation at the end. Very much inline with several tips I drafted for How Not To Be Hacked, the book, and some tips that didn’t make it due to complexity. If you only skim it … be sure to make it to the end where the tips are listed!!!

For security professionals Jeff raised one point that I thought was a challenge to our industry, and highlighted it below:

Buy a new, quality router. You don’t want a router that’s years old and hasn’t been updated. But on the other hand you also don’t want something too new that hasn’t been vetted for firmware and/or security issues

via Welcome to The Internet of Compromised Things.

How ridiculous our world is sometimes … buy a new router, but not too new … but also not too old. HAH… That fails the How not to be hacked, Can you explain it to your grandma test (something I learned in the Head Game). It is valid though … and reflects the challenge of security professionals.

Good write-up,



Hacking Drones Close to Being Drawn up by Boeing and Hacking Team

Drone-HackedA high schooler could have done this, but these 2 didn’t get it done because of a NDA!?  Sad and shows sometimes progress can be derailed by the smallest of things. Passion is finicky and when pursuing the development of new ideas they need to be nurtured in and between organizations.

The technology already exists, and I’d bet for less than $2k it could be made operational. Perhaps we’ll see these at DefCon just to show how feasible and fun they can be in real life?

Leaked emails between Italian spyware vendor Hacking Team and Boeing subsidiary Insitu revealed that drones carrying malware to infect targeted computers via Wi-Fi by flying over their proximity is close to becoming a reality.

Spyware-carrying drones were being discussed by Insitu, a division of Boeing and now-disgraced malware firm Hacking Team, according to leaked emails from the recent breach of the Italian company which have been posted on WikiLeaks, Engadget reported.

It was only the failure to come to terms over a non-disclosure agreement that kept Insitu and Hacking Team ‘teaming up’ together in order to create the malware infesting drone.

via Hacking Drones Close to Being Drawn up by Boeing and Hacking Team.

Ps.. I wrote a book to help Information Security professionals share Tips to the other 3.1 billion people in the world struggling to stay secure and safe online. I’d love for you to share the news and benefit from the book – How not to be hacked

Bank Hackers Steal Millions ($100M+) via Malware & long campaign – NYTimes.com

A good article was released on the NYT today highlighting an elongated attack into up to 100 banks where methods were learned by attackers, and then exploited. What is interesting here is that the attackers studied the banks own processes and then customized their behaviors accordingly.

It would be difficult to imagine these campaigns to succeed for such a long period as occurred if the malware was detected (which is possible with interval security process studies), and or the bank processes were re-examined by risk officers for activity within the dollar range thresholds. It is typical for data to be slowly “dripped” out of networks to stay below range (hence when signatures are essentially worthless as a preventive/detective tool), and thus similar fraud behavior is needed at the human/software process level.

I look forward to the report to analyze the campaign and share any possible learnings beyond this surface article. Two highlights of the NYT article jump to me, include:

Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The hackers’ success rate was impressive. One Kaspersky client lost $7.3 million through A.T.M. withdrawals alone, the firm says in its report. Another lost $10 million from the exploitation of its accounting system. In some cases, transfers were run through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift, which banks use to transfer funds across borders. It has long been a target for hackers — and long been monitored by intelligence agencies.

via Bank Hackers Steal Millions via Malware – NYTimes.com.

The report is planned for release on Feb 16, and I hope there are substantial facts on the campaign.

Thanks for Kaspersky to continue to lead research and providing solutions.




Attribution & Intent challenges: Comparing Regin module 50251 and “Qwerty” keylogger

Kaspersky Labs (a pretty wicked good set of researchers) published an analysis on the Snowden shared source code and found it identical in part to a piece of malware known as Regin. Regin has been in the digital space for nearly 10 years and has been attributed to a number of infected systems globally.

I would encourage everyone to read and understand the analysis as it is quite thorough and interesting .. go ahead, I’ll wait .. Comparing the Regin module 50251 and the “Qwerty” keylogger – Securelist.

While I cannot speak to the course and reason behind this tool, beyond the obvious conjectures, I would stress one critical point.  Attribution and intent.

Attribution is hard and of little value

As we find with other digital attacks, attribution is very difficult and I often tell clients to not focus on that as a basis for sanity and response. This is obvious in the difficulty in attributing such attacks, but also the problems with incorrectly making such assertions. I.e., JP Morgan’s “Russian attack on the bank due to their activities” during Ukraine incident was in fact a breach due to simple human error on configuring a server.


We as the observers do not know the intent of the operatives with the malware. In this case with the NSA we have identified malware in various locations, but as we all know … malware code spreads pretty freely without much direction. The concept that one system was infected unintentionally or without purpose from the operators is pretty high.

This comes to the forefront with our own internal analysis of attacks and breaches in our corporate environments. We must seek out all of the possible vectors, and not allow our bias or evidence on hand sway us incorrectly.

Spiegel.de article on Kaspersky report and other thoughts



If I were Evil Series: Creating a malware pandemic through USB charging stations

I would infect the USB power stations at airports & first class w/ malware to take-over all the Laptops & Smart-devices, iPads, iPhones, and latest Samsung device. I would do this either one on one device – much like spreading a virus as demonstrated through pace makers (Jonathan Brossard did a proof of concept of infecting pace makers simply by proximity with each other), much like any other virus. The goal would be simply to infiltrate systems and these devices for exfiltration and espionage.

Of course one could do this too at the hardware level by poisoning the chipsets coming out of China, as was done with the missile guidance chips…

If I were Evil that is …

Infrastructure Security Response, Google excludes 11M+ domains

Google officially removed a “freehost” provider from a Korean Company that was providing the .co.cc domain (link to The Register article).  This was done on the basis of a large percentage of spammy or low-quality sites.  According to the Anti-Phishing Working Group (report) this top level domain accounted for a large number of mal-ware, phishing, and spam traffic.

This defensive move by Google frames nicely a counter move to what I have termed as ‘Infrastructure level attacks’.  These types of attacks are executed through planned and global programs designed to bypass the fundamental security safeguards organizations deploy.  The popular examples are RSA SecureID Tokens and Comodo certificates.

The challenge has been how to respond equally to such attacks, and here we are seeing an exploration into this response.  The U.S. Government is exploring filters and preventive tools at the ISP level, and here we have a propagator of search results eliminating the possibility of users connecting to such domains – regardless of any possible non-malicious site.

This highlights the need to examine the information security program of your organization and the core providers.  This examination must consider risks that are known and ‘far-fetched ideas’ (such as the domain being blocked at the ISP level) that may impact your business.  Such continuous programs of risk assessment are key, but just as critical is the examination and pivoting of the program itself.  (yes.. a risk assessment of the risk assessment program).

Counter thoughts?

James DeLuccia