Stop using NSA-influenced code in our products, RSA tells customers

Officials from RSA Security are advising customers of the company's BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that were recently revealed to contain a backdoor engineered by the National Security Agency (NSA).

An advisory sent to select RSA customers on Thursday confirms that both products by default use something known as Dual EC_DRBG when creating cryptographic keys. The specification, which was approved in 2006 by the National Institute of Standards and Technology (NIST) and later by the International Organization for Standardization, contains a backdoor that was inserted by the NSA, The New York Times reported last week. RSA's advisory came 24 hours after Ars asked the company if it intended to warn BSAFE customers about the deliberately crippled pseudo random number generator (PRNG), which is so weak that it undermines the security of most or all cryptography systems that use it.

"To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG," the RSA advisory stated. "Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation" on RSA's websites.

Read 11 remaining paragraphs | Comments


    






iOS 7 lock screen bug allows full access to Photos app, contact info

New software comes with new features, but in the case of iOS 7, it also comes with new bugs. Forbes reports that a bug in the new Control Center feature can allow an attacker with physical access to your device full access to your Photos app even if you've protected your phone with a passcode. After following the steps to reproduce the bug, the attacker can open the Camera app from the multitasking window and then open the Photos app from there.

We were able to replicate this bug on an iPhone 4S, iPhone 5, fifth-generation iPod touch, and an iPad mini, so it seems likely that this affects all devices that can be upgraded to iOS 7. The vulnerability was discovered by Jose Rodriguez, who also uncovered a lock screen bug in iOS 6.1.3 (but not the earlier bug in version 6.1).

The bug doesn't allow an intruder to gain unfettered access to much—you can't open apps that can't be opened by Control Center, and even thumbnails of running apps in the multitasking list are totally blank. An attacker can't see what you were looking at the last time you had Safari or Mail open. However, access to the Share menu from the Photos app means that they can view your contacts, send out pictures via the Messages app, and send pictures via any e-mail or social media accounts you've configured. Stored e-mails, passwords, and other non-photo data does not appear to be accessible, and while you can see all of the icons on the device's Home screen, you can't actually launch any of them.

Read 1 remaining paragraphs | Comments


    






Vertexnet Botnet Hides Behind AutoIt

Recently we found some new malware samples using AutoIt to hide themselves. On further analysis we found that those sample belong to the Vertexnet botnet. They use multiple layers of obfuscation; once decoded, they connect to a control server to accept commands and transfer stolen data.

This sample is packed using a custom packer. On execution it drops three files in the %TEMP% folder.

vertex1

 

These files are compiled using aut2exe. The malware next executes the file botnet.exe from the temp folder. This file is written in AutoIt. We can easily decompile it using Exe2Aut.

Vertex2

 

This file uses various obfuscated variables that are encrypted using a simple algorithm:

vertex3

 

Decoding the variables, we can see that this script calls various Windows APIs using the Autoit DLL functions DllStructCreate, DllStructGetPtr, DllCall, etc.

vertex12

 

Searching Google, we easily found the original code likely to be used in the preceding script with obfuscation:  http://www.autoitscript.com/forum/topic/99412-run-binary/

(The preceding post containing information on how to run an executable from memory is old. It was made  around 2009 on autoitscript.com.)

The technique of running an executable from memory through an AutoIt script is well documented on this link. To summarize, it first creates a process with with the CREATE_SUSPENDED flag:

vertex4

 

Next it uses GetThreadContext to get the CONTEXT structure:

vertex5

 

Subsequently, it uses WriteProcessMemory,SetThreadContext and allocates memory for the data.

vertex6

 

Then it resumes the thread:

vertex7

 

After dumping the data in WriteProcessMemory calls, we get a Visual Basic file, which uses the RunPE method to execute the payload:

vertex8

 

The final payload is VertexNet 1.2 , which we discovered from the strings it contains:

vertex10
On executing the final payload, it communicates with the control server:

vertex11

 

We see an constant increase in AutoIt malware because of its ease of use. We have found that malware authors always use ready-made tools and quickly adapt to new tricks.

McAfee customers are protected against this threat by IPS signature: BOT: VertexNet Bot Activity Detected.

I would like to thank my colleague Arunpreet Singh for his help with the analysis of this threat.