malware

AWS 推出 Amazon Route 53 Resolver DNS Firewall

長久以來的洞總算有比較好的方法補上了，AWS 推出了 Amazon Route 53 Resolver DNS Firewall：「Introducing Amazon Route 53 Resolver DNS Firewall」。

Route 53 Resolver 是 AWS 官方提供的 DNS Resolver，沒有特殊的設定的話通常會在 x.x.x.2 (/24 或是更大的網段)，先前一直沒有辦法解決 data leak 的問題，也就是透過 DNS 把敏感資料從 private network 裡丟出去。

以前的作法是透過 security group 擋掉對 Route 53 Resolver 的流量 (或是透過 VPC 的 Firewall 擋)，然後自己架設兩台 DNS resolver 過濾，現在 Route 53 Resolver 支援 DNS Firewall，提供 allowlist 與 blocklist 這兩個功能使用，總算是把這件事情解的比較乾淨了：

Route 53 Resolver DNS Firewall lets you create “blocklists” for domains you don’t want your VPC resources to communicate with via DNS. You can also take a stricter, “walled-garden” approach by creating “allowlists” that permit outbound DNS queries only to domains you specify. You can also create alerts for when outbound DNS queries match certain firewall rules, allowing you to test your rules before deploying for production traffic.

另外這次的 DNS Firwall 提供了兩組由 AWS 維護的清單讓人使用，包括了 malware 與 botnet：

Route 53 Resolver DNS Firewall offers two managed domain lists—malware domains and botnet command and control domains—enabling you to get started quickly with managed protections against common threats.

這樣省事多了...

原來 Disqus 已經被網路廣告公司買走了...

在「Disqus, the dark commenting system」這邊才看到 Disqus 被網路廣告公司買的消息：

Disqus was acquired by an advertising company called Zeta Global in 2017. Obviously, advertising companies do everything to increase their revenue (Ex: the Big G).

引用的報導則是在「Zeta Global acquires commenting service Disqus」這邊可以看到，大約在三年前發生的事情...

基本上已經變成廣告追蹤平台了：

I analyzed the network requests log. Disqus makes HTTP requests to 11 different third-party domains through the browser. All of these websites are trackers/pixels (Even some were detected as malware by my security guard).

而且就算是付費會員也一樣，還是會追蹤：

When you provide a free product, money should come from somewhere. Disqus uses advertising for that. Now, I subscribed to a paid plan trial of Disqus to see if things change or not. No! Even in the paid plans, the same pixels are loaded on the client-side. Looks like there's no way to opt-out from tracking.

後面的推薦可以看看就好，自己架應該還是比較好的選擇... 用「open source comment system」搜有些東西可以參考。

利用 Smart TV 監控的技術也成熟了...

透過 WikiLeaks 公開出來的文件得知 CIA 與 MI5 都已經有能力將後門埋入 Samsung 的 Smart TV 內：「The CIA Spied on People Through Their Smart TVs, Leaked Documents Reveal」。

Hackers at the Central Intelligence Agency, with the help of colleagues from the British spy agency MI5, developed malware to secretly spy on targets through their Samsung Smart TVs, according to new documents published by WikiLeaks.

這個後門在 Fake-Off 模式中仍然可以繼續運作：

The malware was designed to keep the smart TVs on even when they were turned off. This was dubbed "Fake-Off mode," according to the documents.

甚至可以控制 LED 燈，讓被監控人無法得知現在 Smart TV 其實還在運作中：

The CIA hackers even developed a way to "suppress" the TVs LED indicators to improve the "Fake-Off" mode.

突然想到該找時間複習 1984，裡面描述的概念現在在生活週邊愈來愈多了...

擋廣告的 Pi-hole

Pi-hole 最近愈來愈紅的一個計畫，技術上是透過 DNS 把不想要的網域名稱擋掉，通常就是擋掉各種 tracking 與廣告系統。

因為是透過 DNS 擋，當然沒有像 uBlock Origin 直接 parse 網頁內容來的有效，但對於方便性來說則是大勝，只需要在網路設備上設一次，所有的裝置都可以用到。

剛剛看到「How a Single Raspberry Pi made my Home Network Faster」這篇，可以看到 Pi-hole 有不錯的介面可以看 (讓你自我感覺良好？XD)：

文章作者跑了一個月後，也直言還是有些東西會壞掉，需要設定一些白名單讓他動：

Review after 1 month in operation
The Pi-Hole has been running for 1 month now on my home network. I have had to whitelist 1 or 2 URLs which was blocking a reset of an Alexa which had an issue, and a video conferencing system had all sorts of tracking and metrics built in which were causing some havoc until I whitelisted them. Otherwise, the Pi has been chugging along at 8% memory utilization, and the network is considerably faster when surfing the web.

對於手癢自己玩應該還可以，拿到辦公室的話應該會有不少東西掛掉... (不過文章作者好像想這樣做)

Avast 放出他們的 Decompiler，RetDec

Avast 以 MIT License 放出他們的 Decompiler，叫做 RetDec：「Avast open-sources its machine-code decompiler」，專案在 GitHub 上的 avast-tl/retdec 這邊。

Decompiler，也就是直接把 machine code 試著轉回高階語言的程式碼：

這對於分析工作來說簡化很多，尤其是在資安產業的人... 以往比較常見是轉成 assembly 再用人工分析，現在這樣有機會讓大腦輕鬆一些。

雖然目前有些限制 (像是 32 bits only)，不過 open source 出來後，可以預料會有不少人開始加功能進去：

Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.

拿來分析 Android APK 檔的 Droidefence

忘記在哪邊看到的，分析 Android APK 檔的軟體：「Droidefense: Advance Android Malware Analysis Framework」。

Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.

Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

看起來是輔助用的工具... 先記錄下來 XD

OnePlus OxygenOS 內建的 Malware

看到「OnePlus OxygenOS built-in analytics」這篇，講作者在聽連線時看到 OnePlus OxygenOS 內建的 Malware：

從維基百科上的說明好像不怎麼意外啊：

一加（全稱：深圳市萬普拉斯科技有限公司，英語：OnePlus）是中國一家行動通訊終端裝置研製與軟體開發的企業，於2013年12月7日成立，主要開拓國外市場。

作者一開始看到各種行為，像是 screen_off、screen_on、unlock、abnormal_reboot：

{
    "ty": 3,
    "dl": [
        {
            "id": "258cfeb1",
            "en": "screen_off",
            "ts": 1484177517017,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "screen_on",
            "ts": 1484177826984,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "unlock",
            "ts": 1484177827961,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "en": "abnormal_reboot",
            "ts": 1484178427035,
            "oed": [],
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

然後是各種機器資訊，包括 MAC address、IMEI 之類的：

{
    "ty": 1,
    "dl": [
        {
            "ac": "",
            "av": "6.0.1",
            "bl": 82,
            "br": "OnePlus",
            "bs": "CHARGING",
            "co": "GB",
            "ga": 11511,
            "gc": 234,
            "ge": 6759424,
            "gn": 30,
            "iac": 1,
            "id": "258cfeb1",
            "im": "123456789012345,987654321098765",
            "imei1": "123456789012345",
            "it": 0,
            "la": "en",
            "log": "",
            "ma": "aa:bb:cc:dd:ee:ff",
            "mdmv": "1.06.160427",
            "mn": "ONE A2003",
            "nci": "23430,",
            "ncn": ",",
            "noi": "23430,",
            "non": "EE,",
            "not": "LTE,",
            "npc": "gb,",
            "npn": "07123456789,07987654321",
            "nwa": "aa:bb:cc:dd:ee:ff",
            "nwb": "ff:ee:dd:cc:bb:aa",
            "nwh": false,
            "nwl": 0,
            "nws": ""CHRISDCMOORE"",
            "ov": "Oxygen ONE A2003_24_161227",
            "pcba": "",
            "rh": 1920,
            "ro": false,
            "romv": "3.5.6",
            "rw": 1080,
            "sov": "A.27",
            "ts": 1484487017633,
            "tz": "GMT+0000"
        }
    ]
}

然後是開了什麼 app XDDD

{
    "ty": 4,
    "dl": [{
            "id": "258cfeb1",
            "pn": "com.Slack20003701",
            "pvc": "20003701",
            "tk": [
                [1484079940460, 1484079952177],
                [1484081525486, 1484081603191],
                [1484081603424, 1484081619211],
                ...
            ],
            "it": 0
        }, {
            "id": "258cfeb1",
            "pn": "com.microsoft.office.outlook170",
            "pvc": "170",
            "tk": [
                [1484084321735, 1484084333336],
                [1484084682578, 1484084683668],
                [1484084685843, 1484084688985],
                ...
            ],
            "it": 0
        }, ...
    ]
}

以及在 app 裡面做了什麼 XDDD (像是 ChromeTabbedActivity start、RecentsActivity stop、WifiSettingsActivity start、Settings start)

{
    "ty": 2,
    "dl": [{
            "id": "258cfeb1",
            "pi": 12795,
            "si": "127951484342058637",
            "ts": 1484342058637,
            "pn": "com.android.chrome",
            "pvn": "55.0.2883.91",
            "pvc": 288309101,
            "cn": "ChromeTabbedActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 4143,
            "si": "41431484342115589",
            "ts": 1484342115589,
            "pn": "com.android.systemui",
            "pvn": "1.1.0",
            "pvc": 0,
            "cn": "RecentsActivity",
            "en": "stop",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, {
            "id": "258cfeb1",
            "pi": 26449,
            "si": "264491484342115620",
            "ts": 1484342115620,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "WifiSettingsActivity",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ... {
            "id": "258cfeb1",
            "pi": 2608,
            "si": "26081484346421908",
            "ts": 1484346421908,
            "pn": "com.android.settings",
            "pvn": "6.0.1",
            "pvc": 23,
            "cn": "Settings",
            "en": "start",
            "aed": [],
            "sa": true,
            "it": 0,
            "rv": "OnePlus2Oxygen_14.A.27_GLO_027_1612271635"
        }, ...
    ]
}

有人提供了移除的方法：

@chrisdcmoore I've read your article about OnePlus Analytics. Actually, you can disable it permanently: pm uninstall -k --user 0 pkg

— Jakub Czekański (@JaCzekanski) October 10, 2017

但你可以不要買這個牌子啊 XDDD

Cloudflare 對 Coinhive 挖礦的態度

TorrentFreak 的標題不夠精確，不過大概可以看出 Cloudflare 的想法：「Cloudflare Bans Sites For Using Cryptocurrency Miners」。

在沒有告知使用者，以及沒有提供選項關閉的情況下，Cloudflare 認定這是 Malware...

在飯店裡攻擊企業的高階主管

算是為什麼企業要提供 Full Routing VPN 的一個攻擊管道的說明...

這篇介紹了在飯店裡透過 WiFi 攻擊企業的高階主管，想辦法塞木馬取得資訊，或是滲透進企業內部的網路：「Hackers are using hotel Wi-Fi to spy on guests, steal data」。

Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.

有點介於 APT 與一般性的攻擊中間...

透過 DNS TXT 傳遞指令的惡意程式

看到「New Fileless Malware Uses DNS Queries To Receive PowerShell Commands」這篇，所以是有人開始這樣惡搞了...

Distributed through an email phishing campaign, the DNSMessenger attack is completely Fileless, as it does not involve writing files to the targeted system; instead, it uses DNS TXT messaging capabilities to fetch malicious PowerShell commands stored remotely as DNS TXT records.

利用 DNS 的穿透力來取得外部資訊...