MediaWiki Remote Code Execution vulnerability leaves Wikipedia open for Cyber attacks

The Encyclopedia giant WIKIPEDIA has been found vulnerable to remote code execution because of a critical flaw in the MediaWiki software.

Wikipedia is a name which has become a major source of information for all of us. It has webpages on almost every topic you need to search.

This giant is powered by an open source wiki software called MediaWiki. MediaWiki not only empowers Wikipedia, but also a number of other wiki websites. This software is a product of the Wikimedia Foundation and is coded in PHP with a database as backend.

Cyber Point Software Technologies found a remote code execution vulnerability in MediaWiki, "This vulnerability affects all versions of MediaWiki from 1.8 onwards."

The vulnerability assigned with ID CVE-2014-1610 allows an attacker to execute shell code remotely via an incorrectly sanitized parameter on the MediaWiki application server.

“Shell meta characters can be passed in the page parameter to the thumb.php.” Bug 60339.

MediaWiki announced Security Releases 1.22.2, 1.21.5 and 1.19.11, "Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandler extension). Neither file type is enabled by default in MediaWiki installations. If you are affected, we strongly urge you to update immediately."

Key Findings: The vulnerability might have caused Wikipedia’s web servers a malicious content distributor, if left uncovered.

"Check Point promptly alerted the WikiMedia Foundation to the presence of this vulnerability, and after verifying it the Foundation released a software update to correct the issue."

An update was released from the Wikimedia Foundation after knowing about the vulnerability from Check Point. This is the 3rd 'remote code execution' vulnerability reported in MediaWiki Platform, since 2006.

“It only takes a single vulnerability on a widely adopted platform for a hacker to infiltrate and wreak widespread damage,” says Dorit Dor, vice president of products, Check Point Software Technologies. Check Point's Vulnerability Research Group assesses common software to ensure the security of Internet users.

MediaWiki 's latest version 1.22.2 Stable is fully patched to defend against this flaw, and Wikipedia is now also upgraded to it.

Since almost all cyber security enthusiasts are putting efforts in finding security loopholes in the products available on the Internet, that has put Open source technology to the highest priority in terms of security testing.

ICEPOL Ransomware Servers seized by Romanian Police that infected 260,000 Computers

After Financial and Banking Malwares, Ransomware has become the first choice of money motivated cybercriminals.

A new Ransomware Trojan known as ICEPOL has been one of those widespread malware which has been successfully installed approximately 267,786 times worldwide and 42,400 in the USA alone over a five month period, analyzed by the security firm BitDefender.

The ICEPOL Trojan (also known as Reveton) categorized as Ransomware that locks your PC and demand for a ransom amount to unlock it. The Malware was using a previously known vulnerability in Java software i.e. CVE-2013-0422 to infect the systems.

The malware threatened the user with accusations of illegal piracy or 'porn-related activity' and requires money for exemption from punishment that pretends to be from the 'police'.

“The ICEPOL Trojan extorted victims who downloaded it by sending them a message in any one of 25 languages purporting to be from police accusing them of downloading copyrighted material or illegal porn,” said Catalin Cosoi, Chief Security Strategist from Bitdefender.

The malware includes one more money making scheme, i.e. Designed to redirect the victims to the website via pay-per-click scam under the traffic exchange mechanism. The police estimated that more than $32,000 was stolen from the U.S. victims over the five-month period.

The Romanian police in cooperation with the Internet security firm Bitdefender found dozens of C&C servers and successfully seized one of the major C&C servers, which was the part of large distribution of ICEPOL Trojans, located in the Romanian capital Bucharest.

“The results of the investigation of ICEPOL Trojan based on cooperation with various law enforcement agencies and third party vendors. Despite the complex investigations, we have so far achieved very good results and we will continue to fight cybercrime", says the head of the agency against cyber crime, the Romanian National Police.

This is not the first time when a ransomware tricked the victims successfully, also last year cryptolockerof the same category hits millions of computer users. So, users are advised to keep their systems software and anti-virus solutions up-to-date and most importantly patch your Java distribution immediately to Update 51.

Stay Safe! Stay Tuned!

Cryptography Hacks - Hash Encryption using DuckDuckGo Search Engine

Over the past several months, it has become clear that the Internet and our Privacy have been fundamentally compromised. A Private search engine DuckDuckGo claims that when you click on one of their search results, they do not send personally identifiable information along with your request to the third party.

Like Google dorks (advance search patterns), there are thousands of similar, but technically more useful search hacks are also available in DuckDuckGo called DuckDuckGoodies. Today I am going to share about Handy "Cryptography" using DuckDuckGo search engine.

Whether you are a Hacker, Cracker or a Researcher, you need to face a number of hash strings in your day to day life. Hashing is a one way encryption of a plain text or a file, generally used to secure passwords or to check the integrity of the file. There is a certain set of hashing algorithms, e.g.md5, sha1, sha-512 etc.

A hash function generates the exact output if executed n number of times with the same input. If there is a very small change in the input, there will be a difference between the two outputs.

Duckduckgo is a search engine which gives you a flexibility to perform such operations. It enables user to generate the hash of strings, find the algorithm used for generating a hash, give other equivalent hashes of certain hash input.

1.) Generating a Strong Password: The security and integrity of our passwords are a constant battle. The password is the only lock which can make your private information more secure. One of the biggest reasons why people use weak passwords is usually a combination of convenience, and the ability to recall them easily. But using a weak password is the equivalent to installing a lock on your front door that you could open with a Popsicle stick.

Last year, we reported that hackers managed to crack 16-character alphanumeric password in less than an HOUR. No password is foolproof, but by using a long, unique and strong password you can make your password complicated enough to slow down password cracking programs. DuckDuckGo provides you a feature of generating a strong password instantly.

Search Term: password 15 strong

Where 15 is the password length.

2.) Generating a Hash: Hashing makes it difficult for an attacker to retrieve the original plain text string back from the encrypted password and it lets sites keep a list of hashes, rather than plain text passwords.

Using DuckDuckGo's Handy option, you can generate a hash value of any string just by using the following syntax on the search engine.

md5 TheHackerNews

sha512 TheHackerNews

sha TheHackerNews

sha224 TheHackerNews

sha256 TheHackerNews

sha384 TheHackerNews

Where TheHackerNews is the plain text string and md5 or sha is the hashing algorithm.

3.) Identifying Hash Algorithm: Manual finding of the algorithm used for generating the hash is a tedious task. DuckDuckGo provides you an inbuilt hash identification tool, which allows you to identify the hashing algorithm used for generating the hash string given as input.

 hash a69649f9f5a7f81ac303ea77d748c77a

4.) Finding Plain text from Hashes: One more great feature provided by DuckDuckGo search engine is that it gives you plain text value and equivalent hash code in other algorithms. DuckDuckGo is not cracking hashes for you, but actually matches the hash value of the previously leaked database archive.

Tor exit enclave: DuckDuckGo also operates a Tor exit enclave, which basically means that if you’re using DuckDuckGo through the Tor anonymity tool, you will achieve end-to-end anonymous, encrypted search that is faster than what you might expect with Tor browsing, alone.

Edward Snowden nominated for Nobel Peace Prize 2014

Now there is really great news for all the supporters of Former National Security Agency (NSA) contractor Edward Snowden, as he is nominated for the 2014 Nobel Peace Prize by two Norwegian lawmakers.

Snorre Valen and Baard Vegar Solhjell, parliamentarians from Norway’s Socialist Left Party said, “He has contributed to revealing the extreme level of surveillance by nations against other nations and of citizens,”

Edward Snowden revealed various widely extended NSA spying projects and responsible for handing over the material from one of the world's most secretive organizations the NSA. He faces charges of theft and espionage and is in Russia on temporary asylum.

“Snowden contributed to people knowing about what has happened and spurring public debate” on trust in government, which he said was “a fundamental requirement for peace”.

Snorre Valen also added that, “There’s no doubt that the actions of Edward Snowden may have damaged the security interests of several nations in the short term”.

According to the Guardian, The five-member panel will not confirm who has been nominated, but those who submit nominations sometimes make them public.

Since 1901, when the Nobel Peace Prize was launched, it has been awarded to a hundred individuals who “shall have done the most or the best work for fraternity between nations, for the abolition or reduction of standing armies and for the holding and promotion of peace congresses.”

The Nobel Committee accepts nominations from members of national assemblies, governments, international courts, professors and previous laureates. It received a record 259 nominations for last year’s prize.

After dropping out of high school, he worked his way into the most secretive computers in U.S. Intelligence as a defense contractor and identifies himself as the source of leaks about US Surveillance programs like PRISM, DROPOUTJEEP, DISHFIRE, MUSCULAR and many more. His releases sparked diplomatic grumbles aplenty.

Snowden is the one who created awareness among all of us when it comes to ‘PRIVACY’. He would be the youngest Nobel Peace Laureate in the history of the prize.

Nominated for the 2014 Nobel Peace Prize is definitely being an honor for the 30 years old young man. Now let’s see if he will fetch the Prize or not.

Java-Bot, a Cross-platform malware launching DDoS attacks from infected computers

These days botnets are all over the news. In simple terms, a botnet is a group of computers networked together, running a piece of malicious software that allows them to be controlled by a remote attacker.

A major target for most of the malware is still Windows, but the growing market of Mac OS X, Linux and Smartphones, is also giving a solid reason to cyber criminals to focus.

Recently, Kaspersky Lab has detected another cross-platform Java-Bot, capable of infecting computers running Windows, Mac OS X, and Linux that has Java Runtime Environment installed.

Last year, Zoltan Balazs - CTO at MRG Effitas submitted the samples of malicious Java application for analysis to Kaspersky Lab and they identified it as HEUR:Backdoor.Java.Agent.a.

According to researchers, to compromise computers, Java-Bot is exploiting a previously known critical Java vulnerability CVE-2013-2465 that was patched in last June. The vulnerability persists in Java 7 u21 and earlier versions.

CVE-2013-2465 description says:

An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

Once the bot has infected a computer, for automatic initialization the malware copies itself into the home directory, and registers itself with system startup programs. The Malware is designed to launch distributed denial-of-service (DDOS) attacks from infected computers.

It uses the following methods to start it based on the target operating system:

• For Windows – HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• Mac OS – the standard Mac OS service launch is used
• For Linux – /etc/init.d/

The malware authors used Zelix Klassmaster Obfuscator (encryption) to make the analysis more difficult.  It creates a separate key for the classes developed due to which analysis of all classes has to be done to get the decryption keys.

The botnet executable contains an encrypted configuration file for the Mac OS 'launchd service'. It also encrypts internal working methodology of malware.

The malware uses PricBot an open framework for implementing communication via IRC. Zombie computers, then report to an Internet relay chat (IRC) channel that acts as a Command-and-control server. 

The Botnet supports HTTP, UDP protocols for flooding (DDoS attack) a target whose details i.e. Address, port number, attack duration, number of threads to be used are received from the IRC channel.

Users should update their Java software to the latest release of Java 7 update 51 of 14 January 2014, can be found on Oracle's Java website. The next scheduled security update for Java is on 14 April 2014.

24-year-old Russian Hacker and Developer of SpyEye Banking Trojan pleads guilty

A Russian man has pleaded guilty to conspiracy charges in a federal court in Atlanta on Tuesday for developing and distributing a malicious banking malware 'SpyEye' that infected more than 1.4 million computers worldwide since 2009.

Aleksandr Andreevich Panin, a 24 year old programmer, also known as Gribodemon and Harderman, was the main author of ‘SpyEye’, a sophisticated malware designed to steal people’s identities and financial information, including online banking credentials, credit card information, user names, passwords and PINs from their bank accounts without their knowledge.

The SpyEye secretly infects the victim’s computer and gives the remote control to the cybercriminals who remotely access the infected computer through command and control servers and steal victims’ personal and financial information through a variety of techniques, including web injects, keystroke loggers, and credit card grabbers without authorization.

Between 2009 and 2011, Panin conspired with Hamza Bendelladj, marketed and advertised the Spy Eye malware on various online forums. He sold versions of the SpyEye virus to almost 150 clients for prices ranging from $1,000 to $8,500 and one of his clients, “Soldier,” is reported to have made over $3.2 million in a six-month period using the SpyEye virus.

SpyEye is a ready-made malware toolkit used by cybercriminals since from 2009 and is still being used today. It has been estimated by the industry that over 10,000 bank accounts have been compromised by SpyEye infections in 2013 alone.

The case is being investigated by Special Agents of the Federal Bureau of Investigation (FBI) who stated, 

“This investigation highlights the importance of the FBI’s focus on the top echelon of cyber criminals” adding that “The FBI will continue working with partners domestically and internationally to combat cybercrime."

Thereafter, in February 2011, the FBI searched and seized a SpyEye command and control server that controlled over 200 computers infected with the SpyEye virus and contained information from numerous financial institutions and was allegedly operated by Hamza Bendelladj in Georgia. 

On July 2011, the FBI agents communicated directly with Panin and purchased a version of SpyEye that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the SpyEye malware.

On January 2013, the Algerian man, Hamza Bendelladj, who was also indicted in the case was arrested in Thailand. The case against him is still pending, and Panin was arrested in July 2013 while he was flying through Hartsfield-Jackson Atlanta International Airport in Atlanta for allegedly using the Web to scam various banks.

First widely distributed Android bootkit Malware infects more than 350,000 Devices

In the last quarter of 2013, sale of a Smartphone with ANDROID operating system has increased and every second person you see is a DROID user.

A Russian security firm 'Doctor Web' identified the first mass distributed Android bootkit malware called 'Android.Oldboot', a piece of malware that's designed to re-infect devices after reboot, even if you delete all working components of it.

The bootkit Android.Oldboot has infected more than 350,000 android users in China, Spain, Italy, Germany, Russia, Brazil, the USA and some Southeast Asian countries. China seems to a mass victim of this kind of malware having a 92 % share.

A Bootkit is a rootkit malware variant which infects the device at start-up and may encrypt disk or steal data, remove the application, open connection for Command and controller.

A very unique technique is being used to inject this Trojan into an Android system where an attacker places a component of it into the boot partition of the file system and modify the 'init' script (initialize the operating system) to re-load the malware as you switch on your android.

When you start your device, this script loads the Trojan 'imei_chk' (detects it as Android.Oldboot.1) which extract two files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk  (Android.Oldboot.1.origin), copy them respectively in /system/lib and /system/app.

Android.Oldboot acts as a system service and connects to the command-and-controller server usinglibgooglekernel.so library and receives commands to download, remove installed apps, and install malicious apps.

Since it becomes a part of the boot partition, formatting the device will not solve the problem. The researchers believe that the devices somehow had the malware pre-loaded at the time of shipping from the manufacturer, or was likely distributed inside modified Android firmware. So, users should beware of certain modified Android firmware.

Two weeks ago, Some Chinese Security Researchers have also detected a bootkit called 'Oldboot', possibly the same malware or another variant of it.

"Due to the special RAM disk feature of Android devices’ boot partition, all current mobile antivirus products in the world can’t completely remove this Trojan or effectively repair the system."

"According to our statistics, as of today, there’re more than 500, 000 Android devices infected by this bootkit in China in last six months.

The Android malware Android.Oldboot is almost impossible to remove, not even with formatting your device. But if your device is not from a Chinese manufacturer, then chances that you are a victim of it, are very less.

This bootkit is not the first of this kind. Two years back, in the month of March we reported, NQ Mobile Security Research Center uncovered the world's first Android bootkit malware called 'DKFBootKit', that replaces certain boot processes and can begin running even before the system is completely booted up.

But Android.Oldboot malware is a bit more dangerous because even if you remove all working components of it from your android successfully, the component imei_chk will persist in a protected boot memory area and hence will reinstall itself on next boot and continuously infect the Smartphone.

Users are recommended to install apps from authorized stores such as Google Play, disable installation of apps from ‘Unknown Sources’ and for a better security install a reputed security application.

You can also try to re-flash your device with its original ROM. After flashing, the bootkit will be removed.

Warning: Malicious version of FTP Software FileZilla stealing users' Credentials

Malware code can be very small, and the impact can be very severe! The Antivirus firm AVAST spotted a malicious version of the open source FTP (File Transfer Protocol) software 'FileZilla' out in the wild.

The software is open source, but has been modified by the hackers that steal users' credentials, offered on various hacked sites for download with banner or text ads.

Once installed, the software's appearance and functionalities are equal to the original version, so a user cannot distinguish between the fake or real one, and the malware version of the “.exe” file is just slightly smaller than the real one.

"The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI."

The only difference is that the malware version use 2.46.3-Unicode and the official installer use v2.45-Unicode, as shown:

"We found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code."

The modified version copies the login information of the user and sends it to a server that is apparently in Germany, and same IP address of the server hosts three other domains, which are also associated with malware and spam activities.

"Login details are sent to attackers from the ongoing FTP connection only once. Malware doesn't search bookmarks or send any other files or saved connections," Avast explains.

This malicious version has been compiled way back in September 2012, and is still detected by just a couple of Antivirus solutions. In the past, Cyber Criminals also used Google Adsense to promote malicious software or the modified open source softwares.

Be Careful when downloading the FileZilla FTP client, such malware could also be employed for spreading more malware. Users are recommended to downloaded the softwares from the official website only.