Month: July 2015

Hackers Could Heist Semis by Exploiting This Satellite Flaw

Posted on

REMEMBER THE OPENING scene of the first Fast and Furious film when bandits hijacked a truck to steal its cargo? Or consider the recent real-life theft of $4 million in gold from a truck transiting from Miami to Massachusetts. Heists like these could become easier to pull off thanks to security flaws in systems used for tracking valuable shipments and assets.

Vulnerabilities in asset-tracking systems made by Globalstar and its subsidiaries would allow a hijacker to track valuable and sensitive cargo—such as electronics, gas and volatile chemicals, military supplies or possibly even nuclear materials—disable the location-tracking device used to monitor it, then spoof the coordinates to make it appear as if a hijacked shipment was still traveling its intended route. Or a hacker who just wanted to cause chaos and confusion could feed false coordinates to companies and militaries monitoring their assets and shipments to make them think they’d been hijacked, according to Colby Moore, a researcher with the security firm Synack, who plans to discuss the vulnerabilities next week at the Blackhatand Def Con security conferences in Las Vegas.

The same vulnerable technology isn’t used just for tracking cargo and assets, however. It’s also used in people-tracking systems for search-and-rescue missions and in SCADA environments to monitor high-tech engineering projects like pipelines and oil rigs to determine, for example, if valves are open or closed in areas where phone, cellular and Internet service don’t exist. Hackers could exploit the same vulnerabilities to interfere with these systems as well, Moore says.

The tracking systems consist of devices about the size of a hand that are attached to a shipping container, vehicle or equipment and communicate with Globalstar’s low-earth orbiting satellites by sending them latitude and longitude coordinates or, in the case of SCADA systems, information about their operation. A 2003 article about the technology, for example, indicated that the asset trackers could be configured to monitor and trigger an alertwhen certain events occurred such as the temperature rising above a safe level in a container or the lock on a container being opened. The satellites relay this information to ground stations, which in turn transmit the data via the Internet or phone networks to the customer’s computers.

According to Moore, the Simplex data network that Globalstar uses for its satellites doesn’t encrypt communication between the tracking devices, orbiting satellites and ground stations, nor does it require the communication be authenticated so that only legitimate data gets sent. As a result, someone can intercept the communication, spoof it or jam it.

“The integrity of the whole system is relying on a hacker not being able to clone or tamper with a device,” says Moore. “The way Globalstar engineered the platform leaves security up to the end integrator, and so far, no one has implemented security.”

Simplex data transmissions are also one-way from device to satellite to ground station, which means there is no way to ping back to a device to verify that the data transmitted was accurate if the device has only satellite capability (some of the more expensive Globalstar tracking devices combine satellite and cell network communication for communicating in areas where network coverage is available).

Colby Moore intercepts a Globalstar satellite communications from a plane with his homemade transceiver
Colby Moore intercepts a Globalstar satellite communications from a plane with his homemade transceiver

Moore says he notified Globalstar about the vulnerabilities about six months ago, but the company was noncommittal about fixing them. The problems, in fact, cannot be implemented with simple software patches. Instead, to add encryption and authentication, the protocol for the communication would have to be re-architected.

Globalstar did not respond to a request from WIRED for comment.

Top Companies Rely on Globalstar Satellites

Globalstar has more than four dozen satellites in space, and it’s considered one of the largest providers of satellite voice and data communications in the world. Additionally, its satellite asset-tracking systems—such as the SmartOne, SmartOne B and SmartOne C—provide service to a wide swath of industry, including oil and gas, mining, forestry, commercial fishing, utilities, and the military. Asset-tracking systems made by Globalstar and its subsidiaries Geforce and Axon can be used to track fleets of armored cars, cargo-shipping containers, maritime vessels, and military equipment or simply expensive construction equipment. Geforce’s customers include such bigwigs as BP, Halliburton, GE Oil and Gas, Chevron and Conoco Phillips. Geforce markets its trackers for use with things like acid and fuel tanks, railway cars, and so-called “frac tanks” used in fracking operations.

The company noted in a press release this year that since the launch of its initial SmartOne asset-tracking system in 2012, more than 150,000 units were being used in multiple industries, including aviation, alternative energy and the military.

In addition to asset-tracking, Globalstar produces a personal tracking system known as the SPOT Satellite Messenger for hikers, sailors, pilots and others who travel in remote areas where cell coverage might not be available so that emergency service personnel can find them if they become lost or separated from their vehicle.

Moore tested three Globalstar devices that he bought for tracking assets and people, but he says all systems that communicate with the Globalstar satellites use the same Simplex protocol and would therefore be vulnerable to interference. He also thinks the problem may not be unique to Globalstar trackers. “I would expect to see similar vulnerabilities in other systems if we were to look at them further,” he says.

The Simplex network uses a secret code to encode all data sent through it, but Moore was able to easily reverse-engineer it to determine how messages get encoded in order to craft his own. “The secret codes are not generated on the fly and are not unique. Instead, the same code is used for all the devices,” he says.

Moore spent about $1,000 in hardware to build a transceiver to intercept data from the tracking devices he purchased, and an additional $300 in software and hardware for analyzing the data and mimicking a tracking device. Although he built his own transceiver, thieves would really only need a proper antenna and a universal software radio peripheral. With these, they could intercept satellite signals to identify a shipment of valuable cargo, track its movement and transmit spoofed data. While seizing the goods, they could disable the vehicle’s tracking device physically or jam the signals while sending spoofed location data from a laptop to make it appear that the vehicle or shipment was traveling in one location when it’s actually in another.

Each device has a unique ID that’s printed on its outer casing. The devices also transmit their unique ID when communicating with satellites, so an attacker targeting a specific shipment could intercept and spoof the communication.

In most cases, attackers would want to know in advance, before hijacking a truck or shipment, what’s being transported. But an attacker could also just set up a receiver in an area where valuable shipments are expected to pass and track the assets as they move.

“I put this on a tower on a large building and all the locations of devices [in the area] are being monitored,” Moore says. “Can I find a diamond shipment or a nuclear shipment that it can track?”

It’s unclear how the military is using Globalstar’s asset-tracking devices, but conceivably if they’re being used in war zones, the vulnerabilities Moore uncovered could be used by adversaries to track supplies and convoys and aim missiles at them.

Often the unique IDs on devices are sequential, so if a commercial or military customer owns numerous devices for tracking assets, an attacker would be able to determine other device IDs, and assets, that belong to the same company or military based on similar ID numbers.

Moore says security problems like this are endemic when technologies that were designed years ago, when security protocols were lax, haven’t been re-architected to account for today’s threats.

“We rely on these systems that were architected long ago with no security in mind, and these bugs persist for years and years,” he says. “We need to be very mindful in designing satellite systems and critical infrastructure, otherwise we’re going to be stuck with these broken systems for years to come.”


Hackers Can Disable a Sniper Rifle—Or Change Its Target

Posted on

PUT A COMPUTER on a sniper rifle, and it can turn the most amateur shooter into a world-class marksman. But add a wireless connection to that computer-aided weapon, and you may find that your smart gun suddenly seems to have a mind of its own—and a very different idea of the target.

At the Black Hat hacker conference in two weeks, security researchers Runa Sandvik and Michael Auger plan to present the results of a year of work hacking a pair of $13,000 TrackingPoint self-aiming rifles. The married hacker couple have developed a set of techniques that could allow an attacker to compromise the rifle via its Wi-Fi connection and exploit vulnerabilities in its software. Their tricks can change variables in the scope’s calculations that make the rifle inexplicably miss its target, permanently disable the scope’s computer, or even prevent the gun from firing. In a demonstration for WIRED (shown in the video above), the researchers were able to dial in their changes to the scope’s targeting system so precisely that they could cause a bullet to hit a bullseye of the hacker’s choosing rather than the one chosen by the shooter.

“You can make it lie constantly to the user so they’ll always miss their shot,” says Sandvik, a former developer for the anonymity software Tor. Or the attacker can just as easily lock out the user or erase the gun’s entire file system. “If the scope is bricked, you have a six to seven thousand dollar computer you can’t use on top of a rifle that you still have to aim yourself.”

The exposed circuitboards of the Tracking Point TP750 that Runa Sandvik and Michael Auger hacked to control where the rounds hit.
The exposed circuitboards of the Tracking Point TP750 that Runa Sandvik and Michael Auger hacked to control where the rounds hit.

Since TrackingPoint launched in 2011, the company has sold more than a thousand of its high-end, Linux-power rifles with a self-aiming system. The scope allows you to designate a target and dial in variables like wind, temperature, and the weight of the ammunition being fired. Then, after the trigger is pulled, the computerized rifle itself chooses the exact moment to fire, activating its firing pin only when its barrel is perfectly oriented to hit the target. The result is a weapon that can allow even a gun novice to reliably hit targets from as far as a mile away.

But Sandvik and Auger found that they could use a chain of vulnerabilities in the rifle’s software to take control of those self-aiming functions. The first of these has to do with the Wi-Fi, which is off by default, but can be enabled so you can do things like stream a video of your shot to a laptop or iPad. When the Wi-Fi is on, the gun’s network has a default password that allows anyone within Wi-Fi range to connect to it. From there, a hacker can treat the gun as a server and access APIs to alter key variables in its targeting application. (The hacker pair were only able to find those changeable variables by dissecting one of the two rifles they worked with, using an eMMC reader to copy data from the computer’s flash storage with wires they clipped onto its circuit board pins.)

Though the rifle’s scope seemed to be pointed at the target on the right, the researchers were able to make it hit the bullseye on the left instead
Though the rifle’s scope seemed to be pointed at the target on the right, the researchers were able to make it hit the bullseye on the left instead

In the video demonstration for WIRED at a West Virginia firing range, Auger first took a shot with the unaltered rifle and, using the TrackingPoint rifle’s aiming mechanism, hit a bullseye on his first attempt. Then, with a laptop connected to the rifle via Wi-Fi, Sandvik invisibly altered the variable in the rifle’s ballistic calculations that accounted for the ammunition’s weight, changing it from around .4 ounces to a ludicrous 72 pounds. “You can set it to whatever crazy value you want and it will happily accept it,” says Sandvik.

Sandvik and Auger haven’t figured out why, but they’ve observed that higher ammunition weights aim a shot to the left, while lower or negative values aim it to the right. So on Auger’s next shot, Sandvik’s change of that single number in the rifle’s software made the bullet fly 2.5-feet to the left, bullseyeing an entirely different target.

The only alert a shooter might have to that hack would be a sudden jump in the scope’s view as it shifts position. But that change in view is almost indistinguishable from jostling the rifle. “Depending on how good a shooter you are, you might chalk that up to ‘I bumped it,’” says Sandvik.

The two hackers’ wireless control of the rifle doesn’t end there. Sandvik and Auger found that through the Wi-Fi connection, an attacker could also add themselves as a “root” user on the device, taking full control of its software, making permanent changes to its targeting variables, or deleting files to render the scope inoperable. If a user has set a PIN to limit other users’ access to the gun, that root attack can nonetheless gain full access and lock out the gun’s owner with a new PIN. The attacker can even disable the firing pin, a computer controlled solenoid, to prevent the gun from firing.

One thing their attack can’t do, the two researchers point out, is cause the gun to fire unexpectedly. Thankfully TrackingPoint rifles are designed not to fire unless the trigger is manually pulled.

In a phone call with WIRED, TrackingPoint founder John McHale said that he appreciates Sandvik and Auger’s research, and that the company will work with them to develop a software update to patch the rifle’s hackable flaws as quickly as possible. When it’s ready, that update will be mailed out to customers as a USB drive, he said. But he argued that the software vulnerabilities don’t fundamentally change the gun’s safety. “The shooter’s got to pull the rifle’s trigger, and the shooter is responsible for making sure it’s pointed in a safe direction. It’s my responsibility to make sure my scope is pointed where my gun is pointing,” McHale says. “The fundamentals of shooting don’t change even if the gun is hacked.”

Runa Sandvik fires a round from a Tracking Point TP750 rifle at a target 50 yards away as husband and fellow security researcher Michael Auger uses a laptop to hack into the rifle’s Wi-Fi, changing the angle of its shot
Runa Sandvik fires a round from a Tracking Point TP750 rifle at a target 50 yards away as husband and fellow security researcher Michael Auger uses a laptop to hack into the rifle’s Wi-Fi, changing the angle of its shot

He also pointed out that the Wi-Fi range of the hack would limit its real-world use. “It’s highly unlikely when a hunter is on a ranch in Texas, or on the plains of the Serengeti in Africa, that there’s a Wi-Fi internet connection,” he says. “The probability of someone hiding nearby in the bush in Tanzania are very low.”

But Auger and Sandvik counter that with their attack, a hacker could alter the rifle in a way that would persist long after that Wi-Fi connection is broken. It’s even possible (although likely difficult), they suggest, to implant the gun with malware that would only take effect at a certain time or location based on querying a user’s connected phone.

In fact, Auger and Sandvik have been attempting to contact TrackingPoint to help the company patch its rifles’ security flaws for months, emailing the company without response. The company’s silence until WIRED’s inquiry may be due to its financial problems: Over the last year, TrackingPoint haslaid off the majority of its staff, switched CEOs and even ceased to take new orders for rifles. McHale insists that the company hasn’t gone out of business, though it’s “working through an internal restructuring.”

A view through the scope of the Tracking Point TP750.
A view through the scope of the Tracking Point TP750.

Given TrackingPoint’s financial straits, Sandvik and Auger say they won’t release the full code for their exploit for fear that the company won’t have the manpower to fix its software. And with only a thousand vulnerable rifles in consumers’ hands and the hack’s limited range, it may be unlikely that anyone will actually be victimized by the attack.

But the rifles’ flaws signal a future where objects of all kinds are increasingly connected to the Internet and are vulnerable to hackers—including lethal weapons. “There are so many things with the Internet attached to them: cars, fridges, coffee machines, and now guns,” says Sandvik. “There’s a message here for TrackingPoint and other companies…when you put technology on items that haven’t had it before, you run into security challenges you haven’t thought about before.”


¿Cómo un hacker puede hackear en las redes aisladas de reactores nucleares?

Posted on

how hackers hack Nuclear reactor
how hackers hack Nuclear reactor

**Este artículo es sólo para fines educativos**

Las infraestructuras críticas como plataformas petroleras y reactores nucleares tienen sofisticado nivel de seguridad para proteger contra los ataques cibernéticos. Sin embargo hackers están pensando un paso por delante de los profesionales de seguridad para hackear a la infraestructura crítica. Las infraestructuras críticas tienen las redes aisladas por lo tanto es muy difícil llegar a través del mundo exterior. Por esta razón, los hackers han desarrollado malware como Stuxnet y Flame, que propagan a través de dispositivos USB como en esas redes intercambian gran cantidad de información a través de dispositivos de memoria USB.

Memorias USB son dispositivos de almacenamiento de memoria reutilizables que se conectan al puerto USB de un ordenador y se conocen comúnmente como unidades flash o tarjetas de memoria. Usted puede borrar unidades USB cualquier número de veces y puede utilizarlas para diferentes propósitos.

Las memorias USB son tan comunes en estos días que los hackers han comenzado a escribir el malware específicamente para memoria USB. Con uso de estos malware los hackers son capaces de hackear redes aisladas como en las plantas nucleares. En este artículo vamos a hablar sobre el malware relacionado con USB con la ayuda de expertos en soluciones de seguridad informática.


Una unidad flash USB es un dispositivo de almacenamiento de datos que incluye memoria flash con una interfaz Universal Serial Bus (USB) integrada. Una unidad flash consiste en una pequeña placa de circuito impreso con los elementos del circuito y un conector USB, aislados eléctricamente y protegidos dentro de un plástico, metal, o el caso de goma. La mayoría de las unidades flash utilizan una conexión estándar de tipo A de USB que permite la conexión con un puerto en un ordenador, pero también existen unidades de otras interfaces. Unidades flash USB consumen energía desde el ordenador a través de la conexión USB.


A continuación se mencionan las partes de una unidad flash:

  • Standard-A conector USB – proporciona una interfaz física para el equipo host.
  • Controlador de almacenamiento masivo USB – un pequeño microcontrolador con una pequeña cantidad de ROM en el chip y la memoria RAM.
  • Chip(s) de memoria flash NAND – almacena los datos (flash NAND es típicamente usado también en las cámaras digitales).
  • Cristal oscilador – produce señal de reloj de 12 MHz principal del dispositivo y los controles la salida de datos del dispositivo a través de un bucle de enganche de fase.
  • Cubierta – típicamente hecha de plástico o metal para proteger la electrónica contra el estrés mecánico e incluso posibles cortocircuitos.
  • Jumpers y test pins – para las pruebas durante la fabricación o carga del firmware de la unidad flash en el microcontrolador.
  • LEDs – indican transferencias de datos.
  • Write-protect switches – activar o desactivar la escritura de datos en la memoria.
  • Espacio despoblado – proporciona espacio para incluir un segundo chip de memoria. Tener este segundo espacio permite al fabricante utilizar una sola placa de circuito impreso para más de un dispositivo de tamaño de almacenamiento.
  • Algunas unidades ofrecen un almacenamiento ampliable a través de un slot para tarjeta de memoria interna, como un lector de tarjetas de memoria.

La mayoría de las unidades flash vienen con formato previo de FAT32 o sistemas de archivos exFAT. Los sectores son 512 bytes de longitud, para la compatibilidad con unidades de disco duro, y el primer sector puede contener master boot record y una tabla de particiones.


Hay dos tipos de malware de USB primero es el malware de firmware del disco USB y segundo es el malware de ordenador normal que se solo ejecuta en discos USB y se llama Ghost malware. Vamos a cubrir más detalles de cada uno de estos malwares y cómo hackers están utilizándolos para piratear en redes aisladas de infraestructuras críticas como plantes de energía eléctrica, reactores nucleares etc.

1. Malware basado en  firmware del microcontrolador USB

Los hackers hacen este malware con reprogramación del firmware de controlador de almacenamiento masivo de las unidades USB. A medida que se inyecta el malware dentro del firmware, que está en el microcontrolador y no en la memoria flash (donde guardamos nuestros archivos).

Mike Stevens, experto de formación de seguridad informática  explica que una vez que se inyecta el malware dentro del firmware del disco USB puede hacer lo siguiente

  • El malware de firmware de microcontrolador  puede emular un teclado y emitir comandos en nombre del usuario que ha iniciado sesión, por ejemplo, dando acceso de root al hacker e infectar a otros dispositivos en la red.
  • El disco USB puede actuar como tarjeta de red y cambiar DNS del equipo para redirigir el tráfico.

La confianza dada por los sistemas operativos como Windows, Mac y Linux a dispositivos de interfaz humana (HID), tales como teclados, tarjetas de red es la razón detrás de este ataque. Como aparecen las actividades realizadas por el malware, como si un usuario ha iniciado sesión para hacer esas actividades. El USB con malware en el firmware se detecta como un HID por un sistema operativo, y el malware se ejecuta la secuencia de comandos para dar control de root a hacker. Antivirus no puede detectar este tipo de amenaza como anti-virus piensa que un usuario ha iniciado sesión y dio acceso a otra persona de confianza.

Hay 3 diferentes tipos de ataques basado en firmware de controlador de almacenamiento masivo USB.


Como se explicó antes experto de formación de seguridad informática que el atacante tendrá un disco USB normal que contiene un pequeño microcontrolador, inyecte el malware en el firmware y toma el control de root de la computadora con la ayuda de este malware. Este tipo de USB se llama BADUSB.

Tipo de ataques con BADUSB

  • Pretender como USB de 4 GB sin embargo, tiene un espacio de 32 GB donde se utilizará resto del espacio para copiar los datos y después cargar al servidor remoto. Así, cuando se formatea el disco solo borra 4 GB de espacio.
  • Pretender como un teclado o mouse.
  • Pretender como una tarjeta de red.
  • Pretender como un teléfono o tableta.
  • Pretender como una cámara web.
  • Pretender como un token de autenticación del banco.
  • Pretender como impresoras y escáneres.
  • Pretender como conector de Tipo-C de luz y datos para el nuevo MacBook, Chromebook Pixel. A pesar de su versatilidad, Tipo-C todavía se basa en el estándar USB, que lo hace vulnerable a un ataque de firmware. Por lo tanto sería un ataque a través de cable de luz.


PASO 1. Revise los detalles del microcontrolador

El primero verifique los detalles sobre el controlador y firmware asociado. Necesitamos un software como ChipGenius, CheckUDisk, UsbIDCheck, USBDeview para determinar eso. Estos son programas de código abierto y están fácilmente disponibles. Ellos le proporcionarán Vendor Chip, Part-Number, Vendedor del producto, Modelo de producto, VID, PID.


PASO 2. Restaurar el firmware original y comprobar el firmware (Paso opcional)

Usted puede utilizar este paso para reparar su USB también si por alguna razón esta muerta la unidad USB. Usted puede visitar el sitio web como y comprobar el programa para restaurar.


Puede utilizar VID y PID encontrado en el paso anterior para buscar el programa para restaurar el firmware. Puede descargar la herramienta MP (mass production) como herramienta USBest UT16 acuerdo a su PID, VID y luego actualizar el controlador. Esto restaurará su USB completamente como nuevo USB según expertos en soluciones de seguridad informática.


PASO 3. Preparación para la inyección en firmware con malware

Vamos a cubrir el escenario de las memorias USB de Toshiba que tienen controlador de Phison. Las herramientas necesarias están disponibles en GitHub.

  • Es necesario instalar Windows con .NET 4.0 instalado y Visual Studio 2012
  • SDCC (Small Device C Compiler) Suite en C: \ Archivos de programa \ SDCC (para la construcción del firmware y parches) y reinicie el equipo después de instalar estos.
  • Haga doble clic en DriveCom.sln, este se ejecuta en Visual Studio. Ejecute el proyecto y compilar. Entonces el DriveCom.exe está en la carpeta de herramientas.
  • Haga lo mismo con EmbedPayload.sln y del inyector.
  • Ejecuta DriveCom como a continuación para obtener información sobre la unidad:

DriveCom.exe /drive=E /action=GetInfo

donde E es la letra de unidad. Esto debe decirle el tipo de controlador que tiene (como PS2251-03 (2303)) y el ID único de su chip flash.


PASO 4. Antes de realizar la operación de flashing de firmware

Para flashing necesitará burner images. Estas imágenes de burners se nombran normalmente utilizando la siguiente convención:


donde xx es la versión del controlador (por ejemplo, 03 por PS2251-03 (2303)), yyy es el número de versión (irrelevante), y z indica el tamaño de la página.

z puede ser:

2KM – indica que esto es para los chips NAND 2K.

4KM – indica que esto es para los chips NAND 4K.

M – indica es para los chips NAND 8K.

Puede descargar Burner images de Internet desde sitios web como


Para construir el firmware personalizado, abre el terminal de comandos en el directorio “firmware” y ejecutar build.bat. Puedes probar con FW03FF01V10353M.BIN como 1.03.53.

El archivo resultante será un firmware \bin\fw.bin, que luego se puede flash en su unidad USB.

También producirá un archivo firmware\bin\bn.bin, que es el equivalente burner image del código.

PASO 5. Cargar el firmware

Una vez que tenga la imagen, entrar en el modo de arranque ejecutando:

DriveCom.exe /drive=E /action=SetBootMode

donde E es la letra de unidad. Puede transferir y ejecutar burner image través de:

DriveCom.exe /drive=E /action=SendExecutable /burner=[burner]

donde E es la letra de unidad y [burner] es el nombre del archivo de imagen de burner.

Puede cargar el firmware mediante la ejecución de:

DriveCom.exe /drive=E /action=DumpFirmware /firmware=[firmware]

donde E es la letra de unidad y [firmware] es el nombre del archivo de destino.

PASO 6. Inyectar el malware en el firmware

Aquí va a necesitar su exploit con carga útil, según profesor de formación de hacking ético de IICS puede aprender a crear una carga útil de exploit y inyectar en código durante la formación de hacking ético. Sin embargo también puede obtener un script de página de GitHub de Rubber Ducky  y con la ayuda de Duckencoder puede crear un archivo inject.bin de su script.


Usted puede inyectar la carga útil en el firmware mediante la ejecución de:

EmbedPayload.exe inject.bin fw.bin

Dónde inject.bin es su script de Rubber Ducky compilado y fw.bin es la imagen del firmware personalizado.

PASO 7. Flashing el firmware de controlador de disco USB.

Una vez que tenga la imagen del burner y el firmware, ejecuta:

DriveCom.exe /drive=[letter] /action=SendFirmware /burner=[burner] /firmware=[firmware]

donde [letter] es la letra de la unidad, [burner] es el nombre de la imagen burner, y [firmware] es el nombre de la imagen de firmware.

Los pasos anteriores dará método para la creación de BADUSB y esto USB se puede utilizar para hacking ético y hacer pruebas de penetración. También puede crear tarjetas SD como BADSD que puede utilizar en teléfonos y tabletas para hackear ellos. A continuación se muestra el video de investigadores de soluciones de seguridad informática que muestran cómo modificar el firmware de la tarjeta SD e inyectar el malware en la tarjeta.

1.2 USB Rubber Ducky – UKI (USB Key Injector)

En lugar de crear su propio firmware USB también se puede comprar USB que se venden en mercados como Rubber Ducky USB o UKI (USB Key Inyector). Usted puede aprender más sobre USB Key Inyector y Rubber Ducky USB en formación de seguridad informática de International Institute of Cyber Security.


1.3 Placa de Teensy Microcontrolador

El uso de una placa Microcontrolador Teensy con varios tipos de software con el fin de imitar los dispositivos HID es el método más tradicional. Usted puede aprender más sobre Teensy en la formación de hacking ético.


2. GHOST USB Malware

Esto es como un malware normal, pero sólo se ejecuta en dispositivos USB y cuando esté dentro de una computadora no hace ninguna actividad. Los delincuentes utilizar estos métodos para comprometer las redes aisladas que no están accesibles a través de Internet. El malware de este tipo que fue descubierto recientemente fue FLAME. En el caso de la Flame, el malware crea una carpeta que no podía ser visto por un PC con Windows, ocultando el malware y los documentos robados del usuario, dicen los expertos de soluciones de seguridad informática. Esto abrió la posibilidad de que las personas llevan sin saberlo Flame de PC a PC. Unidades USB con Ghost Malware son eficaces en las redes aisladas donde hay un montón de información confidencial,  ya que las unidades de almacenamiento portátiles se utilizan normalmente para transferir datos entre computadoras en redes aisladas.

Flame puede extenderse a otros sistemas a través de una red local (LAN) o través de una memoria USB. Se puede grabar audio, capturas de pantalla, la actividad del teclado y el tráfico de la red. El programa también registra las conversaciones de Skype y puede convertir ordenadores infectados en transmisores de  Bluetooth, que intentan descargar la información de los dispositivos cercanos habilitados con Bluetooth. Estos datos, junto con los documentos almacenados localmente, se envía a uno de los varios servidores de comando y control de los piratas informáticos y después el malware puede tomar nuevas instrucciones de estos servidores.


Medidas de prevención

Cómo protegerse de BADUSB, USB Rubber Ducky tipo de dispositivos

De acuerdo con experto de soluciones de seguridad informática de plantas nucleares Taylor Reed de iicybsecurity usted puede tomar los siguientes pasos.

  1. Conecte sólo dispositivos USB de los vendedores que usted conoce y dispositivos USB de confianza. Para las infraestructuras críticas como plantas nucleares y plataformas petroleras, utiliza dispositivos que tienen firmware firmado y asegurado por el vendedor en caso de que alguien trata de romper el firmware, los dispositivos no funcionarán.
  2. Mantenga su programa de antimalware actualizado. No va a escanear el firmware pero debe detectar si el BadUSB intenta instalar o ejecutar malware.
  3. Implementar soluciones de seguridad informática por adelantado que vigilaría el uso de los dispositivos conectados a su ordenador y cualquier teclado USB adicional será bloqueado.

Cómo protegerse del GHOST USB Malware

  1. Mantenga su programa de antimalware actualizado.
  2. Utilice Honeypot de Ghost USB. Ghost honeypot  es un honeypot para la detección de malware que se propaga a través de dispositivos USB.
  3. Actualmente el honeypot es compatible con Windows XP y Windows 7. La forma Ghost funciona es que primero trata de emular como una unidad flash USB. Si el malware lo identifica como una unidad flash USB, será engañar el malware en infectar a ella. Ghost luego mira para solicitudes basadas en escritura en la unidad, que es una indicación de un malware. Usted puede aprender más acerca de Ghost honeypot USB en la formación de hacking ético.

El malware de USB son muy peligrosos y debería implementarse medidas inmediatas para asegurar la infraestructura de TI con la ayuda de expertos en seguridad informática.

US Census Bureau Experiences Data Breach, Anonymous Hackers at Fault

Posted on Updated on

The US Census Bureau Director, John H. Thompson, revealed on Friday that his institution experienced a data breach the past week, but no sensitive or private information was leaked.

On a post on the bureau’s blog penned by Mr. Thompson himself, he revealed how attackers got access to an external facing database belonging to the Federal Audit Clearinghouse.

This database contained details about the names of the person submitting information to the US Census Bureau, organization addresses, phone numbers, usernames, and other types of data the bureau did not consider confidential.

US Census Bureau Experiences Data Breach, Anonymous Hackers at Fault
US Census Bureau Experiences Data Breach, Anonymous Hackers at Fault

Regarding private information collected from US citizens and businesses, Mr. Thompson said, “That information remains safe, secure and on an internal network segmented apart from the external site and the affected database.  Over the last three days, we have seen no indication that there was any access to internal systems.”

The group Anonymous Operations is to blame for the attack

The breach was announced on Twitter by a hacker group calling itself Anonymous Operations and was carried out in protest to the TTIP (Transatlantic Trade and Investment Partnership) and TTP (Trans-Pacific Partnership) trade agreements.

The tweet also contained a link to their own website, where four other URLs linked to the info obtained in the data breach.

The nationality of the hackers is unknown, but their anger against the TTP and TTIP agreements should narrow down the search.

While not as severe as other attacks on US government bodies, the bureau’s IT staff took the servers offline within 90 minutes after having found out of the attack, and this is how they’ll remain until their investigation completes.

From initial findings, “it appears the database was compromised through a configuration setting that allowed the attacker to gain access to the four files posted to the hacker’s site,” said Mr. Thompson.


Researchers Hack Air-Gapped Computer With Simple Cell Phone

Posted on

THE MOST SENSITIVE work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.

But researchers in Israel have devised a new method for stealing data that bypasses all of these protections—using the GSM network, electromagnetic waves and a basic low-end mobile phone. The researchers are calling the finding a “breakthrough” in extracting data from air-gapped systems and say it serves as a warning to defense companies and others that they need to immediately “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev, where the research was done.

The attack requires both the targeted computer and the mobile phone to have malware installed on them, but once this is done the attack exploits the natural capabilities of each device to exfiltrate data. Computers, for example, naturally emit electromagnetic radiation during their normal operation, and cell phones by their nature are “agile receivers” of such signals. These two factors combined create an “invitation for attackers seeking to exfiltrate data over a covert channel,” the researchers write in a paper about their findings.

Researchers Hack Air-Gapped Computer With Simple Cell Phone
Researchers Hack Air-Gapped Computer With Simple Cell Phone

The research builds on a previous attack the academics devised last year using a smartphone to wirelessly extract data from air-gapped computers. But that attack involved radio signals generated by a computer’s video card that get picked up by the FM radio receiver in a smartphone.

The new attack uses a different method for transmitting the data and infiltrates environments where even smartphones are restricted. It works with simple feature phones that often are allowed into sensitive environments where smartphone are not, because they have only voice and text-messaging capabilities and presumably can’t be turned into listening devices by spies. Intel’s manufacturing employees, for example, can only use “basic corporate-owned cell phones with voice and text messaging features” that have no camera, video, or Wi-Fi capability, according to a company white paper citing best practices for its factories. But the new research shows that even these basic Intel phones could present a risk to the company.

“[U]nlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone,” they note in their paper.

Though the attack permits only a small amount of data to be extracted to a nearby phone, it’s enough to allow to exfiltrate passwords or even encryption keys in a minute or two, depending on the length of the password. But an attacker wouldn’t actually need proximity or a phone to siphon data. The researchers found they could also extract much more data from greater distances using a dedicated receiver positioned up to 30 meters away. This means someone with the right hardware could wirelessly exfiltrate data through walls from a parking lot or another building.

Although someone could mitigate the first attack by simply preventing all mobile phones from being brought into a sensitive work environment, to combat an attack using a dedicated receiver 30 meters away would require installing insulated walls or partitions.

The research was conducted by lead researcher Mordechai Guri, along with Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Elovici. Guri will present their findings next month at the Usenix Security Symposium in Washington, DC. A paper describing their work has been published on the Usenix site, though it’s currently only available to subscribers. A video demonstrating the attack has also been published online.

Data leaks via electromagnetic emissions are not a new phenomenon. So-called TEMPEST attacks were discussed in an NSA article in 1972. And about 15 years ago, two researchers published papers demonstrating how EMR emissions from a desktop computer could be manipulated through specific commands and software installed on the machine.

The Israeli researchers built on this previous knowledge to develop malware they call GSMem, which exploits this condition by forcing the computer’s memory bus to act as an antenna and transmit data wirelessly to a phone over cellular frequencies. The malware has a tiny footprint and consumes just 4 kilobytes of memory when operating, making it difficult to detect. It also consists of just a series of simple CPU instructions that don’t need to interact with the API, which helps it to hide from security scanners designed to monitor for malicious API activity.

The attack works in combination with a root kit they devised, called the ReceiverHandler, that gets embedded in the baseband firmware of the mobile phone. The GSMem malware could be installed on the computer through physical access or through interdiction methods—that is, in the supply chain while it is enroute from the vendor to the buyer. The root kit could get installed through social engineering, a malicious app or through physical access to the targeted phone.

The Nitty Gritty

When data moves between the CPU and RAM of a computer, radio waves get emitted as a matter of course. Normally the amplitude of these waves wouldn’t be sufficient to transmit messages to a phone, but the researchers found that by generating a continuous stream of data over the multi-channel memory buses on a computer, they could increase the amplitude and use the generated waves to carry binary messages to a receiver.

Multi-channel memory configurations allow data to be simultaneously transferred via two, three, or four data buses. When all these channels are used, the radio emissions from that data exchange can increase by 0.1 to 0.15 dB.

The GSMem malware exploits this process by causing data to be exchanged across all channels to generate sufficient amplitude. But it does so only when it wants to transmit a binary 1. For a binary 0, it allows the computer to emit at its regular strength. The fluctuations in the transmission allow the receiver in the phone to distinguish when a 0 or a 1 is being transmitted.

“A ‘0’ is determined when the amplitude of the signal is that of the bus’s average casual emission,” the researchers write in their paper. “Anything significantly higher than this is interpreted as a binary ‘1’.”

The receiver recognizes the transmission and converts the signals into binary 1s and 0s and ultimately into human-readable data, such as a password or encryption key. It stores the information so that it can later be transmitted via mobile-data or SMS or via Wi-Fi if the attack involves a smartphone.

The receiver knows when a message is being sent because the transmissions are broken down into frames of sequential data, each composed of 12 bits, that include a header containing the sequence “1010.” As soon as the receiver sees the header, it takes note of the amplitude at which the message is being sent, makes some adjustments to sync with that amplitude, then proceeds to translate the emitted data into binary. They say the most difficult part of the research was designing the receiver malware to decode the cellular signals.

For their test, the researchers used a nine-year-old Motorola C123 phone with Calypso baseband chip made by Texas Instruments, which supports 2G network communication, but has no GPRS, Wi-Fi, or mobile data capabilities. They were able to transmit data to the phone at a rate of 1 to 2 bits per second, which was sufficient to transmit 256-bit encryption keys from a workstation.

They tested the attack on three work stations with different Microsoft Windows, Linux, and Ubuntu configurations. The experiments all took place in a space with other active desktop computers running nearby to simulate a realistic work environment in which there might be a lot of electromagnetic noise that the receiver has to contend with to find the signals it needs to decode.

Although the aim of their test was to see if a basic phone could be used to siphon data, a smartphone would presumably produce better results, since such phones have better radio frequency reception. They plan to test smartphones in future research.

But even better than a smartphone would be a dedicated receiver, which the researchers did test. They were able to achieve a transmission rate of 100 to 1,000 bits per second using a dedicated hardware and receiver from up to 30 meters away, instead of a proximity phone. They used GNU-Radio software, a software-defined radio kit, and an Ettus Research Universal Software Radio Peripheral B210.

Although there are limits to the amount of data any of these attacks can siphon, even small bits of data can be useful. In addition to passwords, an attacker could use the technique to siphon the GPS coordinates of sensitive equipment to determine its location—for example, a computer being used to operate a covert nuclear program in a hidden facility. Or it could be used to siphon the RSA private key that the owner of the computer uses to encrypt communications.

“This is not a scenario where you can leak out megabytes of documents, but today sensitive data is usually locked down by smaller amounts of data,” says says Dudu Mimran, CTO of the Cyber Security Research Center. “So if you can get the RSA private key, you’re breaking a lot of things.”


Steam Hit by Major Security Breach, Many Accounts Hacked

Posted on

Valve’s Steam is the biggest platform in the PC gaming market, with Valve themselves being one of the most prominent companies in the gaming industry as a whole. Steam has millions of accounts all over the world, and in some cases people have invested literally thousands of dollars into their own accounts. Which is why a security breach like the one that just occurred a few days ago is something to take very seriously.

Reports are still blurry and information keeps coming out – Valve themselves are yet to make an official statement on the issue – but according to a demonstration that was posted on YouTube, a hacker could abuse the “forgotten password” feature in Steam’s log-in service, completely bypassing the stage where they have to enter a security code, and being granted access to reset the password of the account.

Steam Hit by Major Security Breach, Many Accounts Hacked
Steam Hit by Major Security Breach, Many Accounts Hacked

All an attacker needs to carry out this exploit is the account name of a Steam user. It’s not yet clear if Steam Guard offers sufficient protection from the exploit, as there have been some reports from users claiming that their accounts have been compromised even with Steam Guard enabled.

Valve have closed the loophole already, but not before significant amounts of damage were done to many users. Among the affected are various prominent Twitch streamers, who’ve had their accounts hijacked and locked down. Valve have apparently started to impose a 5-day “ban” on accounts that have been compromised in the incident, but it’s not clear if there will be any additional consequences for those who have been affected.

Some users have been worried about the possibility of “VAC bans” – Valve’s anti-cheat system is quite notorious for its permanent bans, and even in cases where users have had their accounts hijacked, Valve typically never revert these bans.

On the other hand, users who actively trade on the Steam Market have been worried that they might lose some of their hard-earned items, which is a real danger now that their accounts have been compromised. This could be one of the reasons for the 5-day lockdown, as it would allow Valve to carefully sort out the mess without people trading and getting in their way.

Some have pointed out that Valve’s silence on the matter has been worrying. It’s been nearly 24 hours since the issue started spreading publicly, and considering the large number of potentially compromised accounts, the responsible thing would be to notify users as soon as possible so they can take steps to secure their own accounts.

However, Valve haven’t commented on the situation yet and it’s not clear when they are going to speak up. Various social media sites have been discussing the issue very actively, such as reddit, where it’s already popped up in many popular sections and has been getting a lot of attention.

Users are advised to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.

It’s important to note that the information contained in the e-mail itself is not necessary to carry out the attack. Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them.


HORNET: Tor-style dark web network allows high-speed anonymous web browsing

Posted on

A new anonymous web browser capable of delivering encrypted data across the dark web at high speeds has been developed by security researchers.

HORNET (High-speed Onion Routing at the Network Layer), created by researchers from Zurich and London, is capable of processing anonymous traffic at speeds of more than 93 Gb/s, paving the way for what academics refer to as “internet-scale anonymity”.

The research paper detailing the anonymity network reveals that it was created in response to revelations concerning widespread government surveillance that came to light through the US National Security Agency (NSA) whistleblower Edward Snowden.

A new browser for the dark web could offer significantly higher browsing speeds than Tor
A new browser for the dark web could offer significantly higher browsing speeds than Tor

HORNET has also been designed to overcome the flaws identified with other anonymous web browsers, such as Tor.

“Recent revelations about global-scale pervasive surveillance programs have demonstrated that the privacy of internet users worldwide is at risk,” the researchers have stated.

“To protect against these and other surveillance threats, several anonymity protocols, tools, and architectures have been proposed. Tor is the system of choice for over 2 million daily users, but its design as an overlay network suffers from performance and scalability issues: as more clients use Tor, more relays must be added to the network.”

Due to Tor’s system of encryption between the servers or relays that make up its network, web browsing can be a much slower experience than on the open web.

In order to achieve higher speeds, HORNET uses “source-selected paths and shared keys between endpoints and routers to support [anonymous communication]”, meaning that data is not encrypted as often as Tor, but still remains anonymous.

According to its creators, HORNET is also less vulnerable to attacks that have been used to reveal the identity of Tor users. The Tor Project has declined to comment on HORNET until the research has been peer-reviewed.


WordPress 4.2.3 is out, update your website now

Posted on

If you own a website then there’s a good chance – better than one in five – that it uses the WordPress Content Management System (CMS).

If it is, you should update it now.

The latest version, version 4.2.3, was released on 23 July 2015 and includes a fix for a cross-site scripting (XSS) vulnerability that your website could do without.

The flaw allows WordPress users who have Contributor or Author roles to add javascript to a site (something normally reserved for Editors and Administrators) using specially crafted shortcodes.

WordPress 4.2.3 is out, update your website now
WordPress 4.2.3 is out, update your website now

Attackers who can add javascript to a site can use it to do all manner of damage such as infecting users with malware or stealing their cookies.

Some measure of protection is afforded by the fact that attackers will need a way to log in to a vulnerable site with at least Contributor privileges.

However, it is far easier (and safer) to simply close off a backdoor than to try and second-guess how an attacker might lever it open – and you should update even if you think you won’t be vulnerable.

Across the hundreds of millions of WordPress sites that exist there are likely to be plenty that have registration or membership schemes for unknown users and plenty more that unwittingly suffer from badly configured user rights, disgruntled ex-users, poorly protected passwords and session cookies or users who’ve had credentials stolen.

Any one of those things (and no doubt more I’ve not thought of) could give an attacker the foothold they need.

And bother they will because of the vast size of the WordPress install-base.

Criminal gangs use huge networks of compromised computers, called botnets, to spread malware and send spam and they’re always looking for easy ways to harvest more victims.

Vulnerabilities in popular web platforms like WordPress and Drupal provide an easy way for them to target tens or even hundreds of millions of websites at a time with automated tools.

And they can get those automated attacks up and running fast.

In October 2014, the Drupal security team reported that automated attacks started appearing within three hours of a Highly Critical vulnerability being announced.

In a sobering follow-up message two weeks later they told their users toassume that their site had been compromised if it hadn’t been patched within seven hours of the original announcement!

It’s why the number one rule of WordPress security is always run the latest version of WordPress.

Fortunately that’s become a lot easier since October 2013 when WordPress released the first version of their software, version 3.7, with automatic security updates (something Drupal is still waiting for).

Sites with automatic updates enabled began receiving their updates almost immediately.

If your site doesn’t update automatically you can upgrade by logging in and going to Dashboard → Updates and clicking “Update Now” or bydownloading a copy of the software and installing it yourself.


Lottery IT security boss guilty of hacking lotto computer to win $14.3m

Posted on

Iowa state lottery’s IT security boss hacked his employer’s computer system, and rigged the lottery so he could buy a winning ticket in a subsequent draw.

On Tuesday, at the Polk County Courthouse in Des Moines, Iowa, the disgraced director of information security was found guilty of fraud.

Eddie Tipton, 52, installed a hidden rootkit on a computer system run by the Multi-State Lottery Association so he could secretly alter the lottery’s random number generator, the court heard. This allowed him to calculate the numbers that would be drawn in the state’s Hot Lotto games, and therefore buy a winning ticket beforehand.

The prosecution said he also tampered with security cameras covering the lottery computer to stop them recording access to the machine.

The winning ticket, worth $14.3m after the draw in December 2010, was bought by a customer in a Des Moines QuikTrip gas station who kept his or her face hidden by a hoodie. Lottery bosses released the video of the purchase to the public in hope of tracking down the winner, and Tipton was identified as the punter by a coworker. That’s when investigators stepped in.

Lottery IT security boss guilty of hacking lotto computer to win $14.3m
Lottery IT security boss guilty of hacking lotto computer to win $14.3m

Meanwhile, two teams of lawyers – one in Canada and one in the US – separately tried to cash the winnings, but could not prove they bought the winning ticket. One of the legal eagles said they were hired by Robert Rhodes, a Texas man who happened to be Tipton’s best friend, to cash the winning ticket, The Des Moines Register reports.

Several former colleagues of Tipton told the court that the voice and mannerisms of the ticket’s purchaser matched the security boss’s behavior. Jason Maher, the lottery association’s IT director, also testified that Tipton had told him that he had access to a rootkit, although the software was never found, because the company’s hard drives had been wiped.

Appeal looms

The lack of computer evidence, and the testimony of Tipton’s siblings that the ticket’s purchaser wasn’t their brother, was cited by defense lawyer Dean Stowers as evidence that the case against his client was flawed. He said Tipton plans to appeal the verdict.

“I’m not particularly surprised by the verdict,” Stowers said, “because in a case where a jury is allowed to speculate on what occurred without actual evidence of what occurred, a jury can engage in all sorts of leaps of logic.”

The case highlighted several weaknesses in the security setup at the Multi-State Lottery Association, with hard drives that could have contained evidence being wiped and security footage from cameras being stored improperly. It also called into question the efficacy of the computer system used to generate the winning ticket.

“The next guy not only can figure out how to do it, but having seen what happened here, can figure out how to cover his tracks and not make the same mistakes this Tipton guy made,” said Joey George, an Iowa State University professor of information systems.

Nevertheless, Iowa lottery CEO Terry Rich insisted that the state lottery was now secure, and that improvements have been made. The prize money has since been returned to the organization and used for other payouts.

“There is no doubt this has been a fascinating case,” Rich said in a statement. “We respect the court’s work and the jury’s verdict. The facts in this case have enabled us to further enhance our layers of security to protect the integrity of lottery games, and that ultimately has been a positive.”

After a week-long trial, the jury convicted Tipton on two counts of fraud. Rhodes faces similar charges. Tipton could be sentenced to ten years in prison, although he is free on bail pending his appeal.


Arrests made in connection with JPMorgan hack, report says

Posted on

Law enforcement officials have apprehended four out of five suspects tied to the bank’s massive hack last summer.

Law enforcement authorities have arrested four people in connection with last summer’s hacking of JPMorgan Chase

Law enforcement officials have apprehended four people—including two college friends who are graduates of Florida State University—involved in “a complex securities fraud scheme” that has been connected to the data breach, Bloomberg said. A fifth person remains at large.

Arrests made in connection with JPMorgan hack, report says
Arrests made in connection with JPMorgan hack, report says

Two Israeli men, Gery Shalon and Ziv Orenstein, as well as a U.S. citizen Joshua S. Aaron are among those charged with participating in a pump-and-dump plot, the report said. They allegedly used bulk emails and pre-planned trading to boost certain stock prices to their benefit.

The grand jury indictment, unsealed in Manhattan on Tuesday, according to Bloomberg, revealed that at least five stocks were manipulated in years past.

The JPMorgan data breach last summer compromised the personal information of 83 million individuals and small businesses. Following the breach, JPMorgan’s CEO Jamie Dimon said he would increase the bank’s investment in cybersecurity. A March New York Times story had hinted that investigators were getting close to making arrests.


Free Tool Looks for HackingTeam Malware

Posted on

Researchers at Rook Security have released a new tool that looks for HackingTeam malware on target systems, and also have published a set of indicators of compromise to help organizations look for signs of an infection from the intrusion software.

The HackingTeam Remote Control System is the company’s flagship surveillance and intrusion platform. It sold the system to government agencies and law enforcement customers, but part of the fallout from the breach earlier this month was the exposure of HackingTeam’s customers’ names, some of which are associated with oppressive regimes. In the weeks since the attack on HackingTeam, experts have set about looking for ways to find the company’s malware tools on potentially compromised systems.

The tool that the researchers from Rook, a security company based in Indianapolis, is called Milano and is designed to automate the process of finding the HackingTeam malware. Milano is a free tool and has two separate modes: quick scan and deep scan. The tool looks for hashes of known HackingTeam files and Rook officials said a quick scan can run in a few seconds, while a deep scan can take up to an hour depending upon the system.

Free Tool Looks for HackingTeam Malware
Free Tool Looks for HackingTeam Malware

Rook has been working with the FBI’s Cyber Task Force in Indianapolis to analyze the HackingTeam tools and exploits, as well.

“This breach has been very unique in nature and challenging for security technology vendors to obtain code samples to create signatures and patches, thereby leaving scores of systems potentially vulnerable to nefarious actors seeking to weaponize Hacking Team’s once proprietary tools,” said J.J. Thompson, CEO of Rook. “After our Intelligence Team quickly deduced how the leaked code could be weaponized and used for harm, we immediately put a team in place to identify, analyze, and detect malicious files located in this data.”

Meanwhile, Facebook has released an update for its Oquery tool that, among other things, can find the OS X backdoor used by the HackingTeam software.

“Attackers continue to develop and deploy Mac OS X backdoors. We’ve seen this with Flashback, IceFog, Careto, Adwind/Unrecom, and most recently, HackingTeam. The OS X-attacks pack has queries that identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, it means a host in your Mac fleet is compromised with malware. This pack is high signal and should result in close to zero false positives,” Javier Marcos de Prado of Facebook said in a blog post.

Researchers around the world have been analyzing the HackingTeam platform, tools, and exploits since the company was breached two weeks ago. In addition to emails and documents, much of the source code for the RCS platform was posted online, and some researchers have been able to get it up and running on their own systems. Company executives have said that they are in the process of building an entirely new version of RCS, to be released at an unspecified date.

“This is a total replacement for the existing ‘Galileo’ system, not simply an update,” HackingTeam COO David Vincenzetti said. “Of course, it will include new elements to protect systems and data considering the impact of the attack against HackingTeam.”

Tom Gorup, security operations manager at Rook, said the Milano tool will continue to evolve as more information is discovered.

“Right now there’s about ninety files that it looks for, but that will go up as we go along,” Gorup said.


Cyberwar: Pakistani President’s Website Hacked by Bangladeshi Hackers

Posted on

Pakistani President Mamnoon Hussain’s website has been hacked by Bangladeshi hackers — 72 other Pakistani government websites have been hacked as well.

There’s a cyberwar going on between Bangladeshi andPakistani hackers where high-profile government websites are under attack.

The latest in line is the official website of the President of Pakistan which has been hacked and defaced by a group of Bangladeshi hackers going with the handle of “Blacksmith Hacker’s team” and the hacker behind the hack calls himself “Dark Shadow.”

Cyberwar between both countries is reaching new heights.
Cyberwar between both countries is reaching new heights.

Hacker uploaded a deface page along with a message on the hacked websites, leaving a screenshot of a Facebook post showing Pakistani hackers showing off defacement they conducted on 15th July.

A full preview of the deface page is available below:

Click to enlarge
Click to enlarge

In an exclusive email conversation, one of the hackers from Blacksmith Hacker’s team told HackRead that the reason for targeting Pakistani president website was to send a reply to Pakistani hackers who were behind hacking Bangladeshi government websites.

The attack on the websites supposed to be severe as it has been over 2 days the President of Pakistan website is still defaced at the time of writing.

This is not the first time when the hacker targeted Pakistani government website. The hacker is known for hacking both Pakistani and Bangladeshi government websites multiple times in past.

Pakistan is already under a massive cyberwar with Bangladesh, it’s easy to realize that the hack is high-profile and damaging to the Pakistani cyber world.

Let’s see where does it takes the hackers of both sides. The compromised websites have been posted on the Pastebin. At the time of publishing this article, some of the websites were restored while most of the sites were still hacked and displaying deface page left by the hacker.

Link of targeted Pakistani president website along with its mirror as a proof of hack is available below:


México tiene potencial, pero subutiliza inteligencia cibernética

Posted on

La ineficiencia y el uso inadecuado de los sistemas de inteligencia de parte de las autoridades mexicanas han vulnerado la seguridad nacional, así lo evidencia la fuga del “Chapo” del penal del Altiplano.

Indicios previos, un eficiente trabajo de inteligencia y coordinación con agencias de seguridad internacionales debieron prevenir de la inminente fuga de Joaquín “El Chapo” Guzmán del penal de máxima seguridad del Altiplano, considera Jorge Ríos, especialista en seguridad informática de International Institute Of Cyber Security (IICS).

De acuerdo con Ríos, existen diversos factores que ponen en riesgo la seguridad nacional de México, como el terrorismo, ataques cibernéticos, tráfico de drogas e incluso personas, y aunque la infraestructura tecnológica que tiene el país es de gran potencial, ésta se encuentra subutilizada.

Centro de Control

Una de las situaciones que pudieron advertir a las autoridades mexicanas fueron los tuits de Iván Archivaldo Guzmán, supuesto hijo del narcotraficante, meses previos de la evasión. Situación que pasó inadvertida por el Sistema Nacional de Inteligencia (SIN), encargada de temas relacionados con la seguridad nacional.

“No miento e (he) llorado, pero es de hombres y ahora va la mía, traigo gente armada y les prometo que el general pronto estará de regreso”, posteó Iván el  9 de mayo pasado. “Todo llega para quien sabe esperar”, refirió el 7 de julio pasado, días previos a la fuga del “Chapo”.

Pero también la DEA informó que Joaquín Guzmán Loera, líder del cártel de Sinaloa, intentó en dos ocasiones fugarse del penal de máxima del Altiplano en 2014, indicios que pudieron llevar a la detección oportuna del escape del narcotraficante, considera el International Institute Of Cyber Security (IICS).

“Las redes sociales son una herramienta poderosa y el gobierno da la capacidad de hacer vigilancia intensa sobre la gente sospecha fácilmente. Hay gran cantidad de herramientas para monitorear las actividades de personas en redes sociales que van desde monitoreo de la actividad delictiva hasta ser conscientes que alguien está hablando de un organismo en particular en las redes sociales.

“Agencias mexicanas podrían haber hecho todo lo posible para evitar que un evento como este ocurriera; sin embargo, la regla es que diferentes agencias de seguridad tienen que comunicarse con las agencias de inteligencia de distintos países (…) para llevar a cabo todas las actividades —estrategias— sin errores”, consideró.

Detalló que la infraestructura tecnológica que existe en México tiene un gran potencial, pero este no ha sido utilizado por las agencias de seguridad hasta ahora. Y es que, recientemente el país fue ubicado como uno de los principales clientes de una empresa italiana de ciberespionaje, entre ellos PGR, el Cisen, la Semar, y otros siete gobiernos estatales.

“Por lo tanto el gobierno necesita hacer una estrategia en el ámbito de seguridad cibernética con el apoyo de expertos que les ayuden a pensar un paso por adelante de los delincuentes y evitar este tipo de eventos.

“Apegado a las mejores prácticas internacionales en el ámbito de seguridad, el gobierno debe desplegar un nuevo sistema para desarrollo de capacidad de seguridad cibernética enfocado a las mejores prácticas de industrias, capacitación, auditoría  y profesionalización”, explicó.

En materia de seguridad cibernética que amenace la seguridad nacional, México se muestra vulnerable frente a países como Estados Unidos e Inglaterra. Tan sólo en 2014 se registraron más de ocho millones de ataques cibernéticos en el país, de los que sectores como el gobierno, organizaciones académicas y empresas privadas fueron los más afectados, reportó el International Institute Of Cyber Security (IICS).

El pasado miércoles, Ramón Eduardo Pequeño García, titular de la Unidad de Inteligencia de la Policía Federal (PF) fue cesado de su cargo, luego de que el pasado 11 de julio Joaquín “El Chapo” Guzmán se fugó del penal federal de máxima seguridad del Altiplano.


Abandon XP! Malware is coming to get you

Posted on

Microsoft ended support for other elements of Windows XP – such as bug fixes, free assistance and software upgrades – in April 2014 but carried on with the malware support to help customers in the transition away from the operating system.

But Wednesday was the last day for virus warnings and updates for the popular Windows XP operating system which has been superseded by Windows 7, Windows 8 and – shortly – Windows 10.

Despite this graduated phase out of support, over 180 million computers worldwide continue to use the 14-year-old system, leaving the door wide open to attacks on these computers, according to security experts.

Security expert Graham Cluley said in his blog that continuing to use XP is “a risky business”.

Heimdal Security describes the situation for users who fail to upgrade to newer systems as a “never-ending zero-day situation”.

Windows XP infections are set to skyrocket as Microsoft finally ends support for its anti-malware and malicious software removal tool.
Windows XP infections are set to skyrocket as Microsoft finally ends support for its anti-malware and malicious software removal tool.

Many users including businesses and even the US Navy have been slow to migrate from Windows XP which was seen as (comparatively) stable and easy to use. The termination of security support may finally be enough to push the die-hards to upgrade their software.

However, if you are a Windows XP user – and plan to continue on that path – you will need to switch to another anti-malware product, such as Avast or AVG, or find yourself hopelessly out of date when it comes to virus definitions.

Microsoft said: “If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses. Internet Explorer 8 is also no longer supported, so if your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats. Also, as more software and hardware manufacturers continue to optimise for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows XP.”

According to Heimdal Security’s blog, other vendors are cutting support for Windows XP too, including Oracle which is ending Java support for Windows XP this month.


New GamaPoS Malware served by the Andromeda Botnet

Posted on

The experts at Trend Micro discovered GamaPoS, a new PoS malware that is spread through the Andromeda botnet in the US and Canada.

GamaPoS is the name of the last PoS malware used by criminal crews to steal credit card data from the memory of payment systems. Security experts at Trend Micro discovered which discovered the GamaPoS malware explained that it is distributed by a large botnet known as Andromeda, which has been around since 2011.

“We discovered GamaPoS, a new breed of point-of-sale (PoS) threat currently spreading across the United States and Canada through the Andromeda botnet .” states Trend Micro in a blog post.

The experts found systems infected in the US and Canada, the malware that targets Windows systems is written in Microsoft’s.

NET. Researchers explained that the choice of .Net is unusual for RAM scraping PoS malware.

New GamaPoS Malware served by the Andromeda Botnet
New GamaPoS Malware served by the Andromeda Botnet

The experts noticed that hackers have chosen to spread the malware through a botnet instead by stealing or guessing remote access credentials in response to countermeasures implemented by many retailers. Many organizations, in fact, have improved the security of their systems protecting internal resources from remote attacks.

Bad actors have used a botnet in order to infect machines worldwide, including machines inside the trusted internal networks of target organizations.

Trend Micro reported that the attacks start with spam messages containing malicious emails purporting to include PCI DSS (Payment Card Industry Data Security Standard) compliance documents or software updates necessary to protect systems from the recently discovered MalumPs malware. The attachments contain malicious macros that install the backdoor on the infected PC that is used to serve the GamaPoS.

“This means that it launches a spam campaign to distribute Andromeda backdoors, infects systems with PoS malware, and hopes to catch target PoS systems out of sheer volume. Rough estimates show us that GamaPOS may have only hit 3.8% of those affected by Andromeda.” continues the post.

The experts also discovered that threat actors used the backdoor to download tools that can be used to to manually hack other systems from the networks of affected organizations and make lateral movements .

The experts detected infected systems in a number of industries, including home health care, online retail and consumer electronics.

GamaPoS targets a range of cards, including Visa and Discover, their users are exposed to the risk of hack.

“While the evaluated example does not do Luhn validation, GamaPoS does manually filter the data by evaluating the first few numbers of the scraped data.

  • 4 (length=12) – Visa
  • 56 to 59 (length=14) – Maestro and other ATM/debit cards
  • 6011 (length=12) – Discover Card
  • 65 (length=14) – Discover

Finally, it would attempt to upload the collected data via the command-and-control server that has been selected during initial execution.” states the post.


Dozens Nabbed in Takedown of Cybercrime Forum Darkode

Posted on Updated on

MORE THAN 70 people have been arrested around the world in the takedown of one of the most active underground cybercrime web forums, according to authorities.

Darkode, which had been in operation since 2007, was an online marketplace catering to cybercriminals buying and selling hacking tools, zero-day exploits, ransomware, stolen credit card numbers and other banking data, as well as spamming and botnet services, before authorities seized it this week.

roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world,” US Attorney David Hickton said in a statement. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”


The crackdown, dubbed Operation Shrouded Horizon by the FBI, was initiated two years ago by that agency’s Pittsburgh, Pennsylvania, office but eventually included Europol and law enforcement agencies in more than 20 countries.

So far at least 12 people have been arrested in the US, and another 28 are known to have been arrested on Tuesday in Denmark, Germany, India, Israel, Romania, Sweden, and the UK.

The Kingpin

The alleged administrator of the site at the time of the crackdown was Johan Anders Gudmunds, a 27-year-old Swede who went by the online handles “Mafi,” “Crim,” and “Synthet!c,” and who took control of the forum from its founder in May, 2010, according to authorities.

Gudmunds allegedly created and sold a number of malware exploit packages (such as CrimePack, Antiklus and Pandemiya 2014), according to theindictment (.pdf) against him. He also allegedly created a botnet malware called Blazebot and controlled and sold access to a Zeus botnet that was 60,000 computers strong. The Zeus malware was designed to steal bank account credentials.


8 Technologies That Can Hack Into Your Offline Computer and Phone

Posted on

Whenever your computer, smartphone device or any other Internet-capable gadget is connected to the Internet, there is always a risk of security threats. This is the reason why hacking has now become a norm.

Private funded organizations, as well as the government agencies, are using various cyber spy technologies and tools so that they can discover the maximum eavesdropping possibilities while acquiring all the possible spying intelligence.


Getting hold of the hidden secretive data can be a challenging task for spying agencies because computer experts have specifically designed some computers in such a way that they remain offline and get no access to the internet.

This technique of protecting sophisticated data is known as air-gapping. In this technique, the computer systems are isolated from the Internet access, and not even connected or linked with other systems on the network.

This is an important step taken by the authorities as the digital data stored in these computers are highly secretive and must have to be protected from illicit access. That’s exactly how banking systems, classified military networks, payment networks, and the critical control system for large industries are protected!

But the recent exploration performed by the popular security corporation reveals that your computer and mobile phones can still get hacked even if they aren’t connected to the internet.

So here are some of the ways through which your computer and mobile phone can be hacked – even if they are not connected to the online world!


Every operation device that requires power once plugged into a power line will release electromagnetic radiation, and that radiation can be used to intercept information by various technologies verified by both the U.S. and the USSR.


These radiations can easily be used to remotely record keystrokes. According to the Kaspersky Lab:



Since we were discussing electromagnetic radiations and electricity, certain researchers prove that it is possible to gather activity of any electronic gadget based on the amount of power it is drawing.

Using an equipment known as Load Monitoring System, one can easily monitor the transformations in current and voltage so that they can understand the power consumption activity. Equipment like these are being used by electricity providers to better understand the load and power consumption of specific areas, and to find out what exactly is causing all the changes in energy usage.

But what research found out is that Japan is using Non-Intrusive Appliances Load Monitoring System (NIALMS) which is working through a Neutral Network (NN), and this system is specifically designed for residential consumers so that they can find out what device is being used by the consumer.


In the same way, some medical researchers have created a computer program to detect network vulnerabilities of their computer networking systems. This monitoring program analyses the power consumption to detect if there’s any malware has been injected into the network.


Your smartphone’s accelerometer, a sensor used to track tilting motion of your smartphone, can be used as a keylogger to record keystrokes of any computer, according to the research performed by Patrick Traynor, Assistant Professor of Computer Science at Georgia Tech.



Computer hackers can use methods like these to eavesdrop user’s keystrokes, but the actual threat is pretty low because of the poor accuracy level.


Hackers can track the movements of millions of travellers travelling on a subway around the world, according to the researchers of Nanjing University. Hackers can break into the smartphone’s built-in motion detection technology i.e. accelerometer, and can detect all the bumps and duration of a trip between stations.



According to the researchers, every subway station in the world possesses a unique fingerprint and every time a train runs between two stations, that specific fingerprint can be recorded by the smartphone’s accelerometer, possibly providing hackers with an access to critical information like which subway station any specific person has travelled to.


Voltmeters and a ray of laser can be used to sniff computer keystrokes, according to the researchers Andrea Barisani and Daniele Bianco who found this exploit and demonstrated this technique at Black Hat security conference held in Las Vegas.

“The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required,” – Barisani and Bianco while describing their hacks.


When you are using your computer keyboard, every key input generates a voltage signal, and those signals can be captured by hackers using a voltmeter. Since the computer keyboards have an unshielded wire so those signals leak into the ground wire of the computer’s main power cable. The voltmeter captures the bit streams and voltage fluctuations generated by keyboards and find out what keys you are hitting.

The second hacking method is laser. The hacker point a ray of laser at a shiny object located on your computer table or a shiny part of your laptop, then the hacker aligns the receiver to record the vibrations being caused by each keystroke, which is reflected through the light beam.

According to the Network World:



Keyboard interception, in most of the cases, isn’t very much useful because of the obvious reasons. One can never use keyboard keystrokes to gain access to the data stored within the computer system.

However, according to the Kaspersky Lab, some external methods can be used to infect the computer with malware that isn’t even connected to the internet. That is exactly how the famous Stuxnet worm infected the targeted computer which was placed within the uranium enriched infrastructure. Once the computer was infected, the malware worked in a similar way just like some internal spy, leaking confidential data through a certain physical medium.


On the other hand, Israeli researchers have developed an eavesdropping software that modulates electromagnetic radio signals released by different computer hardware. These signals are so strong that it can be received by a simple FM receiver of your mobile phone.

A computer that stores confidential data are usually placed inside a well-shielded rooms and are completely isolated from the external networks, these precautionary steps are taken to eliminate any possible data leakage. But hackers can use software like these, despite all the isolation, to access the protected data.


The Israeli researcher team from Ben Gurion University has revealed that how hackers can steal data from your computer by only using the heat emissions. They have found a way to eavesdrop onto the air-gapped computer using computer’s built-in thermal sensors and heat discharge.


This unusual method will allow hackers to secretly spy onto the security keys and passwords stored on the protected computer and then transmit the data to the computer, which is connected to the Internet, located in the close proximity, and is in the control of the hacker.

Additionally, the same computer which is connected to the Internet can be used to transfer malicious programs to the air-gapped computer using a thermal method. It is obviously that this means of eavesdropping is very sluggish and cannot be used to transfer a large amount of data, but no doubt, it is effective.

Kaspersky Labs, while explaining the working of this hacking method:



Your computer stored within a well-isolated chamber does not provide assurance against complete data leakage protection because ultrasound technology can easily allow sensitive data to pass-through.

Tristan Lawry, a doctoral candidate in Electrical and Computer Engineering, has developed a spy equipment which can transfer data at high rates even through thick, solid steel obstructions. And, what’s more, interesting about this equipment apart from transferring data is that it can also transmit power.

This spying kit is a secretive technology, actually being used by the British Intelligence services, but has been reinvented by the graduate of the American-based university.

According to the Kaspersky Lab:



Cloudminr Hack Exposes Data on 80,000 Bitcoin Miners

Posted on

Attackers were able to break into servers belonging to Bitcoin cloud-mining platform last week and harvest the site’s entire database. Now hackers are attempting to sell the information, which includes thousands of unencrypted usernames, email addresses, and passwords.

Cloudminr, a Norwegian company that started last year, relies on processing power from remote data centers to generate Bitcoin.  Those looking to make money off the crypto-currency without spending money on their own equipment often invest in Bitcoin mining companies to do the work for them.

Cloudminr Hack Exposes Data on 80,000 Bitcoin Miners
Cloudminr Hack Exposes Data on 80,000 Bitcoin Miners

While the company’s website is currently offline, it was replaced early Monday with a rudimentary storefront that claimed the site’s database, including information on 79,267 users, had been hacked and was for sale. According to several posts on the forum, the attackers are allegedly offering the information in exchange for 1 BTC, or roughly $289 USD. If legitimate, the sum could be a small price for an attacker to pay considering the information that could potentially lie in the database.

With a little social engineering, an attacker could recover a user’s password to any wallets or exchanges they might be a part of or use the information log into a user’s Cloudminr account and withdraw Bitcoin directly from their account.

Furthermore if a Bitcoin miner used the same login information for Cloudminr as they do for a forum like, an attacker could log into that account and gather additional information about the user, as well.

According to the Cloud Mining Directory, a site that aggregates information about cloud mining services, when’s site went down on Friday, it was replaced with a message: “CLOUDMINR.IO is temporarily down until a new website is made from scratch to avoid any backdoors left by hackers.”

While the legitimacy of the company has long been debated on Bitcoin forums, the fact that its developers appear to have stored its users’ credentials in plain text doesn’t make it any less bitter of a pill to swallow for Bitcoin investors who opted to use Cloudminr.

The company allegedly reached 11,000 customers in its first month last year according to the Cloud Mining Directory, a figure that if correct, made it one of the largest Bitcoin mining collectives in the industry.

In January Bitstamp, a U.K.-based Bitcoin exchange was forced offline after a hack resulted in the theft of around $5M in Bitcoin.

According to an incident report regarding the compromise that surfaced online late last month the company was hit by a sophisticated phishing attack in November 2014 that targeted six different employees over Skype and tricked them into opening rigged Word documents.


DDoS Ransom Notes, to Honor or Not to Honor?

Posted on

In the wake of cyber crimes, a DDoS (Distributed Denial of Service)attack is something to be on the look-out for.

Lately, these attacks have seen phenomenal growth not only with regard to the increasing number of cases but also to new twists of development they are gaining.

DDoS attacks, as the name suggests, bar legitimate users access to a server or network resource by disrupting services of a host linked to the Net.

DDos ransom


There are many possible explanations to the increase of DDoS attacks. It is rather unfortunate that some victims of this crime are not aware of its existence in the first place. For some time now, DDoS attacks were connected with some crazy kiddies out there trying to have fun or earn easy cash, not so anymore. With the new development of ransom notes, this concept has taken a whole new turn.

This wave of extortion has gone on a much higher level with attackers not only sending threatening notes but also giving their victims a taste of the damage they can cause.

Aggressive completion in the business world could well be another ground for DDoS attacks. It is not uncommon for some unscrupulous companies to use this means to have competitive advantage or even launch an attack against their rivals.

Politics too has its stake in it. DDoS have also been brought about by philosophical and political rivalry. Elsewhere, groups associated with the hatecrime have used DDoS attacks to get even with their enemies.

Reference may also be drawn from attackers craving for attention from targeted sites or even groups, or simply a test of their potential.

For some reason, money is a major motivating factor. Whether for the script kiddie, low-level cyber criminal or well-established gangs like the DD4BC. Infact, the latest extortion attempt by DD4BC on Bitcoin companies serves as an example to money being a motivating factor.

This notorious group has been known to launch their DDoS attack on a lower level say 150 requests/sec together with not more than 40Gbps network layer interruptions. This may be presumed to be a low-level attack but is capable of bringing to the ground small and medium size sites.

As early as 2014 November, it is quite evident that DD4BC have been on bitcoin and gaming websites. They have now taken to the payment industry


A ransom note typically means that you are a victim, there is a possibility your site is not secure anymore and anything could happen anytime, from when you receive the note. In most instances, a complete shutdown or interruption of your website precedes the note to show you that these criminals are in serious business.

Three choices, take no notice of the note, honor the note with quick payment or face it and declare war. Ignoring the note may be a fifty-fifty solution. It could be a signal to the attackers that you already known them and are well prepared for them and so stop their pursuit or actually carry out their threats on your site which might be costly.

Honoring the ransom note apart from costing you the ransom amount is clear evidence of the unpreparedness of your website and lack of DDoS securitythereof. It also exposes your site to many more extortions so expect another ransom note.

The third and best option is to fight back. It doesn’t help just sitting back and watching yourself become a puppet in the hands of these extortionists. A good example is Bitalo Bitcoin Exchange, a company that became DD4BC’s first prey. This company refused to be manipulated and publicized this threat.Bitmain Bitcoin Company was second on the list, coming out in public in March 2014 about the threat they had got from DD4BC.

Taking such a bold step as the two companies did is the way to go about it. This step requires preparedness in the form of a professional DDoS protection. You will need to have this protection set on your systems before or as soon as you get a ransom note. Better still, you can acquire a professional DDoS action plan in place in case your site falls victim to these attacks.


Beware of Fake Apps: Google Deletes Fake BatteryBot Pro Malware App

Posted on

Last week we reported hackers are developing Android malware every 17 seconds, making it one of the most vulnerable OS ever.

Now a spoofed copy of the popular app named as “BatteryBot Pro” requested unnecessary permissions from the user during installation in an attempt to get full control over the user’s Android device, a researcher found out.

The app is alleged to imitate the functionalities of the authentic app and possess hidden ad-fraud activity, the app has recently been removed byGoogle from their official Android Play Store.


For those of you who don’t know, BatteryBot Pro is a genuine battery monitoring app that already exists in the Android app store which offers its users to check detailed information related to their smartphone’s battery like its temperature, voltage, health, current information in mA, and other useful data.

An unknown hacker decided to copy the original app’s functionalities while implementing irremovable malware, but thanks to a researcher named Shivang Desai who reported the app to Google and spoiled the developer’s vision of hacking Android devices.

The package of this app was named “com.polaris.BatteryIndicatorPro.”

The developers behind this app were trying to infect enough devices so that they can generate profit through ad click fraud and premium short messaging service (SMS) fraud. Apart from that, the app is precisely designed to download and install additional malicious Android APKs without the user’s permission. In addition to the hidden downloading of apps, the malware app also displays pop-up advertisements to the user.

“This malware was not only built with the purpose of displaying ads, it was also designed with more evil intentions,” Desai said.


When installing the malicious app, it requested lots of more permissions as compared to the original app, some were normal but other were troublesome which included the permission to access the Internet, mount and unmount file system, send SMS messages, disable keyguard, get user account information, download without notification, and initiate outgoing calls.

After installation of the malicious app, the researcher found out that the malicious app “demanded administrative access,” which indicates that the objective of developer is “to obtain full control access of the victim’s device.”


But once the permission is granted by the victim, the malware app will provide exactly the same functionality of the original BatteryBot Pro app but continues to execute malicious activity in the background.

Apart from the execution of malicious activity the app also tried to download various advertisement libraries which carry a click fraud campaign, thesecurity researcher found out.

Legit app

“Some of these URLs were hard coded in the app and some were sent by the remote server.” – Shivang Desai, Zscaler Security Researcher.


The malware app also tried to pull some personal information from the device, including cell phone operator, availability of SIM card, IMEI number, language, cell phone model, location and available device memory.

Then depending on the collected parameters, the malware app begins to receive the list of advertisements to be displayed on the device along with the URL from where the ads will be fetched.


Apart from the execution of click fraud and ad fraud activities, the app is explicitly designed so that it once installed can never be uninstalled again, at least by the novice user. The app run with administrative rights so that the user cannot remove it.

According to the researcher who tried to uninstall this malicious app,

“While in some of the scenarios we were able to manually delete the app, the malware authors have taken care of ensure persistence. The malware silently installs an app with a package name of com.nb.superuser, which runs as a different thread and resides on the device even if the app is forcefully deleted.”

“A few traces of command execution were also seen in the app but were not fully implemented,” said Shivang Desai, the researcher at Zscaler. “Perhaps the developer is working on an upgraded version of the malware with proper ‘command-execution’ functionality,” Desai further added.