Author Archives: Duncan Newell

About Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Dangerous Carbon Monoxide Alarms Removed From Amazon And eBay

Some carbon monoxide alarms sold by Amazon and eBay have been taken offline after failing safety tests. The Consumer watchdog Which? said some of the alarms seemed identical to ones that had failed tests in 2016.

One of the alarms, the Topolek GEHS007AW CO alarm costing £14.99 and listed as a bestseller on Amazon – failed to detect the gas in more than 80% of the tests conducted by the watchdog.

Which! called on the Office for Product Safety and Standards (OPSS) to take a “more active role” in market surveillance to identify products on sale that pose a potential safety risk.

An unbranded carbon monoxide alarm Credit: Which?/PA

A Department for Business, Energy and Industrial Strategy spokesman said: “The Government’s top priority is to keep people safe, which is why goods being sold in the UK must meet some of the strictest safety laws in the world. The Office for Product Safety and Standards works with local authority Trading Standards and border force to ensure dangerous products do not reach UK consumers. The evidence provided by Which? will be reviewed by the office and action will be taken as appropriate.



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Zacinlo Rootkit Adware

Zacinlo is an adware trojan that uses rootkit functionality to gain persistence across operating system re-installations.

At the time of publication, Zacinlo is delivered through a seemingly legitimate VPN application. When installed this application instead acts as a proxy and downloader, initiating communications with a command and control server (C2) and retrieving the malware packages.  The rootkit also comes with a self-upgrade feature which helps it to update itself to the latest version of the software.

When installed, Zacinlo’s modules provide it with a wide range of capabilities including advert injection using man-in-the-middle attacks over HTTPS, traffic redirection and installing other malware.

Zacinlo’s main functions appear to be to display advertisements and to run a hidden browser to generate income for the attackers by clicking on more advertisements. It’s also capable of removing competing adware.

The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.

Zacinlo’s rootkit module is also used to prevent or disable processes deemed dangerous to its operation, such as anti-virus programs or security services.

Affected Platforms

  • Microsoft Windows – Versions 7, 8, 8.1 and 10





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Kardon Loader Trojan

Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product. This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.

Kardon Loader appears to be distributed through the popular ‘Pink Panther’s’ botshop, although the total number of infections is low.

Currently, most Kardon Loader instances act as a simple loader, however newer variants include greater functionality including adding or removing applications, file transferal and botnet features. There are also indications that Tor and domain generation algorithm support will be implemented for command and control communications.

Kardon Loader uses HTTP based C2 infrastructure with URL parameters that are base64 encoded.

Hashes

  • fd0dfb173aff74429c6fed55608ee99a24e28f64ae600945e15bf5fce6406aee
  • b1a1deaacec7c8ac43b3dad8888640ed77b2a4d44f661a9e52d557e7833c7a21
  • 3c64d7dbef4b7e0dd81a5076172451334fe9669800c40c895567226f7cb7cdc7

Command and Control URLs

  • Kardon[.]ddns[.]net
  • Jhuynfrkijucdxiu[.]club
  • Kreuzberg[.]ru
  • Cryptdrop[.]xyz






Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Mylobot Botnet

Mylobot is a botnet that targets and takes control of devices running Microsoft Windows.

Mylobot employs a variety of other techniques to evade detection or analysis. When it infects a new host, Mylobot waits for two weeks before contacting Command and Control (C2) servers. It terminates Windows Defender and Windows Update, while attempting to delete other malware which has previously been installed. It can also execute files directly from memory, without them being written to storage media.

It also shuts down and deletes any EXE file running from %APPDATA% folder. That action can cause a loss of data. The main function of the botnet is to take complete control of the user’s computer and damage to the computer depends on the payload the attackers decide to distribute.

Mylobot gives the threat actors full control over infected hosts, and allows them to install additional malware. The C2 servers have been previously linked to the Locky ransomware.After examining the C&C server in use, it turns out that it has been used by other malware campaigns, all of which emanate from the Dark Web – so the threat actors behind Mylobot are likely involved in a range of activities.  With the C&C having been active for two and a half years, it indicates those behind Mylobot have been active for some time, and they use tactics which suggest a well-resourced operation.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Asprox Botnet

First observed in 2008, Asprox is a Windows-based botnet used to perform SQL injection and phishing campaigns.

Asprox is distributed through compromised websites. Previously infected devices are used to scan for sites using Active Server Pages (or .ASPnet) before attempting to gain command execution on the site server using SQL injection. If successful it will inject JavaScript or HTML iFrames on the targeted site to enable drive-by-downloads of Asprox.

Once installed, Asprox will spawn a process to connect to its command and control infrastructure and edit registry entries to maintain persistence. It also contains a secondary backdoor known as Kuluoz (AKA Cidox or Rerdom), which is used to download and install further malware.

Palo Alto Networks released a report stating that in October 2014, Kuluoz, the latest version of the Asprox malware, accounted for approximately 80 percent of all malware sessions recorded by their WildFire threat intelligence service.

Affected Platforms

Microsoft Windows – All versions

Host’s And IP’s To Block

  • 212.61.180[.]100
  • brokenpiano[.]ru/b/opt/b168fc221e5c61d9aef80425
  • hxxp://lowbalance[.]su/
  • hxxp://oldfirefox[.]su/
  • hxxp://irishjuice[.]su/
  • hxxp://everydaypp[.]ru/
  • hxxp://nitmurmansk[.]su/
  • hxxp://brokenpiano[.]ru/
  • hxxp://198[.]154[.]224[.]48:8080/
  • hxxp://65[.]254[.]49[.]118:8080/
  • hxxp://212[.]81[.]134[.]56:1080/
  • hxxp://212[.]81[.]134[.]57:1080/
  • hxxp://174[.]127[.]103[.]45:443/
  • hxxp://198[.]58[.]102[.]172:8080/
  • hxxp://74[.]117[.]158[.]3:443/
  • hxxp://70[.]32[.]94[.]46:8080/
  • hxxp://178[.]207[.]18[.]188:443/
  • hxxp://173[.]255[.]241[.]19:8080/
  • hxxp://194[.]38[.]104[.]218:443/
  • hxxp://162[.]248[.]167[.]184:443/
  • hxxp://65[.]254[.]49[.]116:8080/
  • hxxp://178[.]18[.]18[.]30:443/
  • hxxp://122[.]155[.]167[.]122:8080/
  • hxxp://61[.]90[.]197[.]150:8080/
  • hxxp://27[.]254[.]40[.]105:8080/
  • hxxp://69[.]164[.]221[.]7:443/
  • hxxp://209[.]160[.]65[.]96:8080/
  • hxxp://166[.]78[.]145[.]146:443/
  • hxxp://46[.]28[.]68[.]144:8080/
  • hxxp://162[.]144[.]37[.]28:8080/
  • hxxp://198[.]154[.]216[.]149:8080/
  • hxxp://178[.]21[.]117[.]34:8080/
  • hxxp://162[.]213[.]250[.]124:8080/
  • hxxp://203[.]151[.]23[.]69:8080/
  • hxxp://70[.]32[.]85[.]69:8080/





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Multiple Remote Vulnerabilities In Insteon Hub PubNub

Vulnerabilities discovered by Claudio Bozzato of Cisco Talos

Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.

Overview

 

Insteon Hub is a central controller, which allows an end user to use a smartphone to connect to and manage devices in their home remotely. To enable remote interaction via the internet, Insteon Hub uses an online service called PubNub.
End users install the “Insteon for Hub” application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub software development kit, which allows for bidirectional communication using PubNub’s REST API.
Unless stated otherwise, the vulnerabilities were found in Insteon Hub 2245-222 running firmware version 1012. As of firmware version 1016, these vulnerabilities are fixed, versions previous to this may be vulnerable.

 

TALOS-2017-0483 – Message Handler Multiple Stack Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a stack-based buffer overflow, which overwrites arbitrary data due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

Note. CVE rules require that we assign a separate CVE to each instance of a vulnerability that can be fixed independently.

CVE: CVE-2017-16252 through CVE-2017-16337

Full technical advisory is available.

TALOS-2017-0484 – Message Handler Multiple Global Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a buffer overflow on a global section overwriting arbitrary data, due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-16338, CVE-2017-16339, CVE-2017-16340, CVE-2017-16341, CVE-2017-16342, CVE-2017-16343, CVE-2017-16344, CVE-2017-16345, CVE-2017-16346, CVE-2017-16347

Full technical advisory is available.

TALOS-2017-0485 – Reboot Task Denial Of Service Vulnerability

An exploitable DoS vulnerability exists in the device firmware, which allows an attacker to arbitrarily reboot the device without authentication. An attacker can send an UDP packet to trigger this vulnerability.

CVE: CVE-2017-16348

Full technical advisory is available.

TALOS-2017-0492 – HTTPExecuteGet Firmware Update Information Leak Vulnerability

The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the device’s memory. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14443

Full technical advisory is available.

TALOS-2017-0493 – HTTPExecuteGet Firmware Update URL Parameter Code Execution Vulnerability

The HTTP server implementation incorrectly handles the URL parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, however. By using vulnerability TALOS-2017-0492, it is possible to bypass this protection and achieve code execution. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14444

Full technical advisory is available.

TALOS-2017-0494 – HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability

The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, which in this case, cannot be circumvented. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
CVE: CVE-2017-14445
Full technical advisory is available.

TALOS-2017-0495 – HTTPExecuteGet Parameters Extraction Code Execution Vulnerability

The HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. The vulnerability exists because the extraction of the arguments is made without ensuring size constraints. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
CVE: CVE-2017-14446
Full technical advisory is available.

TALOS-2017-0496 – Insteon Hub PubNub “ad” Channel Message Handler Code Execution Vulnerability

An exploitable buffer overflow vulnerability exists in the PubNub message handler for the “ad” channel. A specially crafted command sent through the PubNub service can cause a stack-based buffer overflow, overwriting arbitrary data. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
CVE: CVE-2017-14447
Full technical advisory is available.

TALOS-2017-0502 – Insteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the Hub handles the replies from PubNub, leading to the overwriting of arbitrary data in a global section. The attacker would need to impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.
CVE: CVE-2017-14452, CVE-2017-14453, CVE-2017-14454, CVE-2017-14455




Full technical advisory is available.

TALOS-2018-0511 – Insteon Hub PubNub MPFS Upload Firmware Update Vulnerability

The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker needs to have credentials that will be used to upload an MPFS binary via the “/mpfsupload” HTTP form and, later, upload the firmware via a POST request to “firmware.htm.”
This vulnerability was found on firmware version 1013.
CVE: CVE-2018-3832
Full technical advisory is available.

TALOS-2018-0512 – Insteon Hub PubNub Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn’t check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server “cache.insteon.com” and serve any signed firmware image.
CVE: CVE-2018-3833
Full technical advisory is available.

TALOS-2018-0513 – Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability

An exploitable permanent DoS vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn’t check the kind of firmware image that is going to be installed, and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent unusable condition. To trigger this vulnerability, an attacker needs to impersonate the remote server “cache.insteon.com” and serve a signed firmware image.
CVE: CVE-2018-3834
Full technical advisory is available.
Above information via – Cisco Talos





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability [CVE-2018-8210]

An exploitable heap corruption exists in the LoadIntegrityInfo function of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). A crafted WIM image can lead to a heap corruption, resulting in direct code execution.

This vulnerability is present in the wimgapi DLL, which is used for performing operations on Windows Imaging Forma (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. There is a vulnerability in the LoadIntegrityInfo function that manifests during the parsing of the WIM file header. A specially crafted WIM file can lead to a heap corruption and remote code execution. The vulnerability triggers even on the simplest operations performed on malformed WIM file because its related to file header parsing.

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

Further details and updates – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Microsoft OpenType Font Driver Vulnerability [CVE-2015-2426]

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.

The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.

This issue is known as Microsoft Security Bulletin MS15-078

Further details – https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-078



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Google Play Security Updates For Android Apps

In December last year Google announced that they would be making updates to app security to help verify product authenticity from Google Play. They are now adding a small amount of security metadata on top of APKs to verify that the APK was distributed by Google Play.

One of the reasons they aredoing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity.

In the future, for apps obtained through Play-approved distribution channels, Google will be able to determine app authenticity while a device is offline, add those shared apps to a user’s Play Library, and manage app updates when the device comes back online. This will give people more confidence when using Play-approved peer-to-peer sharing apps.

This also benefits you as a developer as it provides a Play-authorized offline distribution channel and, since the peer-to-peer shared app is added to your user’s Play library, your app will now be eligible for app updates from Play.

No action is needed by developers or by those who use your app or game. Google are adjusting Google Play’s maximum APK size to take into account the small metadata addition, which is inserted into the APK Signing Block. In addition to improving the integrity of Google Play’s mobile app ecosystem, this metadata will also present new distribution opportunities for developers and help more people keep their apps up to date.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

What is nwolb.com ? [RESOLVED]

The domain nwolb.com is owned by Natwest Bank, it was first registered in 1999.

It is used when you click to login to online banking.

Personally, as someone who is not a Natwest customer the domain nwolb.com looks fake to me and I had to double check it was genuine when writing this post.   You Google Natwest and you get natwest.com then when you go to login you get directed to this.

If you lookup this domain name on WhoIs tools online you will notice that this does not show as been owned by Natwest but comes back as CSC Corporate Domains, Inc.  This can cause a lot of people to think the domain is not genuine.

We have reported in the past (details here) about spam e-mails that appear to come from this domain, but the e-mails are actually fake and use spoofed addresses.

As you can see from the below image when on natwest.com there is a link to “Log in to Online Banking” and it is this link that takes you to nwolb.com




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.