Lost+Found: Google hacks Windows and Android sleeper agents
Too small for news, but too good to lose, Lost+Found is a compilation of the other stories that have been on The H's radar over the last seven days: Google hacks Windows, structures in place of signatures, a backdoor scanner, musical Android malware, suspicious system files, John the Ripper and - inevitably - Chinese spies.
- Star Google hacker Tavis Ormandy has published details of a local privilege escalation vulnerability in Windows: "I have a working exploit that grants SYSTEM on all currently supported versions of Windows." The exploit is available to students on request. He also takes a couple of potshots at Microsoft: "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL", a reference to Microsoft's much vaunted Security Development Lifecycle, which was supposed to drastically reduce the number of security vulnerabilities.
- It is easy to fool anti-virus signature scanners. Anti-virus service Simseer is therefore experimenting with malware signatures derived from the structure of the program in the scanned file. This should reportedly allow detection of similarities with known malware families.
- Manufacturers installing backdoor accounts in embedded devices are starting to look like the rule rather than the exception. Security experts from IOActive Labs have developed a tool by the name of Stringfighter which aims to automatically identify backdoors in firmware images. Stringfighter has apparently already discovered a backdoor in programmable gateways produced by German manufacturer Turck. The tool has not yet been publicly released.
- Android phones as sleeper agents? Researchers at the University of Alabama at Birmingham (UAB) have investigated scenarios in which Android malware uses the smartphone's sensors to respond to external events. They postulate a trojan which remains inactive until it hears a piece of music.
- Malware researcher Nataraj Lakshman has used VirusTotal to test around 8000 system files delivered with various windows versions. As expected, all 46 anti-virus programs unanimously agree that the files are harmless. When Lakshman compressed the files with various exe packers and retested them, however, the results were very different. Almost all of the files were detected as malware by at least 10 anti-virus programs. It appears that the mere use of an exe packer is suspicious enough for many anti-virus applications.
- Version 1.8 of all-purpose password cracker John the Ripper is sponsored by Metasploit producer Rapid7. Significant changes have been made to incremental mode, in which the program tests all possible character combinations. The program does not just start at a and keep going until it gets to 0000000, however, but instead tries out the most probable character combinations based on pre-calculated conditional probabilities (Markov models).
- The USA is not alone in suspecting Chinese cyber-espionage. Australia has also identified unauthorised access to state and military secrets. Among other incidents, confidential plans for the new headquarters of the Australian intelligence service (ASIO) are alleged to have been stolen.