[LINK] What's Behind the Huawei Fracas

stephen at melbpc.org.au stephen at melbpc.org.au
Wed Mar 28 16:27:33 AEDT 2012 

Roger notes,

> The real issue is whether Huawei technology brings with it embedded
> insecurity ... The probability of Huawei backbone devices being
> compromised is very high ..


Yes agreed. One might say it's certain Huawei equipment is compromised.

Given that even Unix and Android are targets, my concerns would be how 
quickly might Huawei 'loose face' with patches compared with say Cisco?
With due respect, some cultures *will not* admit any internal problems.

Hacks are inevitable. Anyone know Huawei's response & patch-fix times? 

For current hack examples:

1. A recent UNIX backdoor ..

"Trixd00r v0.0.1 - An Invisible TCP/IP based backdoor for UNIX systems"

NullSecurity Team Releases "Trixd00r v0.0.1" an advanced and invisible 
TCP/IP based userlandbackdoor for UNIX systems. It consists of a server 
and a client. The server sits and waits for magic packets using a 
sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP 
on the given port or connecting back to the client again over TCP or UDP. 
The client is used to send magic packets to trigger the server and get a 
shell. You can Download and Use trixd00r-0.0.1.tar.gz from NullSecurity.

http://research-
labs.net/tools/newsfeeds/42036/trixd00r+v001+an+invisible+tcp/ip+based+bac
kdoor+for+unix+systems.html

2. A recent Android backdoor ..

"Backdoor in Android for No-Permissions Reverse Shell"

Security expert Thomas Cannon working at viaForensics as the Director of 
R&D has demonstrated a custom-developed app that installs a backdoor in 
Android smartphones – without requiring any permissions or exploiting any 
security holes. 

Thomas built an app which requires no permissions and yet is able to give 
an attacker a remote shell and allow them to execute commands on the 
device remotely from anywhere in the world. The functionality they are 
exploiting to do this is not new, it has been quietly pointed out for a 
number of years, and was explained in depth at Defcon 18.

It is not a zero-day exploit or a root exploit. They are using Android 
the way it was designed to work, but in a clever way in order to 
establish a 2-way communication channel. This has been tested on Android 
versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a 
similar way on all platforms.

The application operates by instructing the browser to access a 
particular web page with specific parameters. This web page, and the 
server behind it, will, in turn, control the app by forwarding the 
browser to a URL that starts with a protocol prefix that is registered as 
being handled by the app, for example app://. This process can then be 
repeated and in doing so it enables two-way communication.

"In this demonstration Android’s power and flexibility were perhaps also 
its downfall. Other smartphone platforms *may* not offer the controls we 
are bypassing at all, and the multi-tasking capabilities in Android 
allowed us to run the attack almost transparently to the user. This power 
combined with the open nature of Android also facilitates the 
customisation of the system to meet bespoke security requirements. This 
is something we have even been involved in ourselves by implementing a 
proof of concept Loadable Kernel Module to pro-actively monitor and 
defend a client’s intellectual property as it passed through their 
devices. It is no surprise that we have seen adoption of Android research 
projects in the military and government as it can be enhanced and adapted 
for specific security requirements, perhaps like no other mobile platform 
before it." Thomas Cannon said.

http://research-
labs.net/tools/newsfeeds/28285/backdoor+in+android+for+nopermissions+rever
se+shell.html

3. And here's a new one that sits in RAM not on a drive, so hard to find.

'Kaspersky finds Malware that resides in your RAM"

Kaspersky Lab researchers have discovered a drive-by download attack that 
evades hard-drive checkers by installing malware that lives in the 
computer's memory. The 'fileless' bot is more difficult for antivirus 
software to detect, and resides in memory until the machine is rebooted.

This Malware doesn't create any files on the affected systems was dropped 
on to the computers of visitors to popular news sites in Russia in a 
drive-by download attack. Drive-by download attacks are one of the 
primary methods of distributing malware over the web. 

The attack code loaded an exploit for a Java vulnerability (CVE-2011-
3544), but it wasn't hosted on the affected websites themselves. Once the 
malware infected a Microsoft machine, the bot disabled User Account 
Control, contacted a command and control server and downloaded the 'Lurk' 
Trojan. The malware also attacked Apple devices.

The Java exploit's payload consisted of a rogue DLL that was loaded and 
attached on the fly to the legitimate Java process. Normally this malware 
is rare, because it dies when the system is rebooted and the memory is 
cleared. But the hackers do not really care because there is a good 
chance that most victims would revisit the infected news websites. Once 
the malicious DLL loaded into memory it sends data and receives 
instructions from a command and control server over HTTP.

http://research-
labs.net/tools/newsfeeds/53766/kaspersky+finds+malware+that+resides+in+you
r+ram.html
--

Cheers,
Stephen

More information about the Link mailing list