MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6


Security wares like Kaspersky AV can make you more vulnerable to attacks

Security wares like Kaspersky AV can make you more vulnerable to attacks

Antivirus applications and other security software are supposed to make users more secure, but a growing body of research shows that in some cases, they can open people to hacks they otherwise wouldn't be vulnerable to.

The latest example is antivirus and security software from Kaspersky Lab. Tavis Ormandy, a member of Google's Project Zero vulnerability research team, recently analyzed the widely used programs and quickly found a raft of easy-to-exploit bugs that made it possible to remotely execute malicious code on the underlying computers. Kaspersky has already fixed many of the bugs and is in the process of repairing the remaining ones. In a blog post published Tuesday, he said it's likely he's not the only one to know of such game-over vulnerabilities.

"We have strong evidence that an active black market trade in antivirus exploits exists," he wrote, referring to recent revelations that hacked exploit seller Hacking Team sold weaponized attacks targeting antivirus software from Eset.

He continued: "Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks. For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software. Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks."

As Ormandy suggested, the bugs he found in Kaspersky products would most likely be exploited in highly targeted attacks, such as those the National Security Agency might carry out against a terrorism suspect or spies pursuing an espionage campaign might carry out against the CEO of a large corporation. That means most people are probably better off running antivirus software than foregoing it, at least if their computers run Windows. Still, the results are concerning because they show that the very software we rely on to keep us safe in many cases makes us more vulnerable.

Kaspersky isn't the only security software provider to introduce bugs in their products. Earlier this month, security researcher Kristian Erik Hermansen reported finding four vulnerabilities in the core product marketed by security firm FireEye. One of them made it possible for attackers to retrieve sensitive password data stored on the server running the program. Ormandy has also uncovered serious vulnerabilities in AV software from Sophos and Eset.

In a statement, Kaspersky Lab officials wrote, "We would like to assure all our clients and customers that vulnerabilities publicly disclosed in a blogpost by Google Project Zero researcher, Mr. Tavis Ormandy, have already been fixed in all affected Kaspersky Lab products and solutions. Our specialists have no evidence that these vulnerabilities have been exploited in the wild."

The statement went on to say that Kaspersky Lab developers are making architectural changes to their products that will let them better resist exploit attempts. One change included the implementation of stack buffer overflow protection, which Ormandy referred to as "/GS" in his blog post. Other planned changes include the expansion of mitigations such as address space layout randomization and data execution prevention (for much more on these security measures see How security flaws work: The buffer overflow by Ars Technology Editor Peter Bright). Ormandy thanked Kaspersky Lab for its "record breaking response times" following his report.

Still, the message is clear. To perform, security software must acquire highly privileged access to the computers they protect, and all too often this sensitive position can be abused. Ormandy recommended that AV developers build security sandboxes into their products that isolate downloaded files from core parts of the computer operating system.

"The chromium sandbox is open source and used in multiple major products," he wrote. "Don't wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."

Fonte Ufficiale:


ARIN Finally Runs Out of IPv4 Addresses

ARIN Finally Runs Out of IPv4 Addresses

It is often said, "the Internet is running out of phone numbers," as a way to express that the Internet is running out of IPv4 addresses, to those who are unfamiliar with Internet technologies. IPv4 addresses, like phone numbers are assigned hierarchically, and thus, have inherent inefficiency. The world’s Internet population has been growing and the number of Internet-connected devices continues to rise, with no end in sight. In the next week, the American Registry for Internet Numbers (ARIN) will have exhausted their supply of IPv4 addresses. The metaphorical IPv4 cupboards are bare. This long-predicted Internet historical event marks opening a new chapter of the Internet’s evolution. However, it is somehow anti-climactic now that this date has arrived. The Internet will continue to operate, but all organizations must now accelerate their efforts to deploy IPv6.

ARIN IPv4 Address Exhaustion

The Internet Assigned Numbers Authority (IANA) delegates authority for Internet resources to the five RIRs that cover the world. The American Registry for Internet Numbers (ARIN) is the Regional Internet Registry (RIR) for the United States, Canada, the Caribbean, and North Atlantic islands. ARIN has been managing the assignment of IPv4 and IPv6 addresses and Autonomous System (AS) numbers for several decades. Each RIR has been managing their limited IPv4 address stores and going through their various phases of exhaustion policies. ARIN has been in Phase 4 of their IPv4 depletion plan for more than a year now. ARIN will soon announce that they have completely extinguished their supply of IPv4 addresses.

At this point, the rules for how address resources are allocated will change. Address resource applicants may not get their justified request fulfilled and might be offered a smaller block or the choice to be added to a waiting list. This page documents the process for the waiting list for unmet IPv4 address requests. To review the unmet resource policies, consult the Number Resource Policy Manual (NRPM), check out section 4.1.8. However, when the supply of IPv4 address space drops to 0.00000, then there will be no more addresses to allocate. If IPv4 addresses become available, then the policies in the NRPM will dictate that they are given out based on the Waiting List for Unmet Requests method.
IPv4 Exhaustion Predicted for Decades

Predictions of IPv4 depletion date back to the early 1990s. The IETF formed the Address Lifetime Expectations (ALE) Working Group in the mid-1990s to analyze the rate of IPv4 adoption in anticipation that this date would come. IPv4 address supply concerns was the primary reasons the IETF wanted to create a new version of the Internet Protocol (IP). The IETF IP Next Generation (IPng) working group started their work around that time and the first IPng was drafted around 1993. In those early days of the Internet, no one could have predicted the tremendous growth of the Internet. The IETF created Internet Protocol version 6 and finalized the header format with RFC 2460 in 1998. Each year as the IPv4 Internet grew at breakneck speeds, transition to IPv6 had become more and more daunting.
Prolonging IPv4’s Lifespan

As the Internet began to grow, techniques like Classless Interdomain Routing (CIDR) and Network Address Translation (NAT) were used to extended life-support for IPv4 for almost two decades. Now ISPs are looking at using Carrier Grade NAT (CGN)/Large Scale NAT (LSN) to further prolong the use of IPv4. However, many of these multi-NAT techniques cause problems for many popular Internet applications. We can expect that there will be other techniques contrived to keep the much-loved IPv4 protocol running for decades to come.

No End in Sight for IPv4

Few organizations are thinking about when they may eventually stop using IPv4. Some enterprise organizations have not given IPv6 much thought and are not aggressively moving to implementing it. Organizations will not be able to transition right from using IPv4 to using IPv6 directly. The dual-stack transition technique is the dominant transition strategy (tunnels are to be avoided when possible). In other words, organizations are encouraged to use native IPv6.

Even if an organization starts to deploy IPv6 immediately, they will still require the use of IPv4 for years to come. IPv6 may not have a large impact on an organization’s near-term IPv4 address constraints. Those few enterprise organizations are playing a dangerous "game of chicken" by ignoring IPv6. While, there are techniques for prolonging the lifespan of IPv4, organizations may end up with limited options. Going forward, organizations that require additional IPv4 addresses will need to request them from their service provider (provided they have any addresses left to lease) or purchase them on the open market. As IPv4 address blocks get traded around and split up, we can expect the Internet routing tables to become increasingly fragmented.

Organizations that deploy IPv6 will be living in a dual-stack world for many years. During that period of using both IPv4 and IPv6 in parallel, organizations will likely incur increased operating expenses. Gradually, over time, the cost of running an IPv4 network will increase.
Now What? Move to IPv6!

So now that this Internet historic date of ARIN’s IPv4 run-out has arrived, we should review what our own organizations are doing to plan for the next phase of the Internet’s lifespan.

Internet Service Providers (ISPs) should already be well on their way through their IPv6 deployments. If you work for an ISP that has not yet started your IPv6 deployment then you are in serious danger of falling far behind your competitors.

If you are an enterprise organization, then your plans for the future need to be quickly defined and put into action. Your organization no longer has the option to continue to ignore IPv6. However, your organization may be planning to invest in purchasing additional IPv4 addresses. Your organizations will be forced to tolerate the use of multiple-layers of NAT and the application problems that come with it. Your organization will be forced to invest in larger Internet routers to be able to handle the rapidly expanding IPv4 Internet routing tables. Your organization should be planning for future years of legacy IPv4-Internet connectivity and actively moving toward full deployment of IPv6.

If your organization is one of those that waited to embrace IPv6, then you are in luck, as there are plenty of resources available to help you with your IPv6 planning and deployment. While can get you started learning the basics, you should visit the Internet Society Deploy360 Programme IPv6 page. You should also explore ARIN’s own Get6 site. We wish you the best of luck configuring your systems so you can reach the "whole Internet" using IPv6 and not just the "old Internet" using IPv4.

Fonte Ufficiale:


Apple’s App Store infected with XcodeGhost malware in China

Apple's App Store infected with XcodeGhost malware in China

Apple has said it is taking steps to remove malicious code added to a number of apps commonly used on iPhones and iPads in China.

It is thought to be the first large-scale attack on Apple's App Store.

The hackers created a counterfeit version of Apple's software for building iOS apps, which they persuaded developers to download.

Apps compiled using the tool allow the attackers to steal data about users and send it to servers they control.

Cybersecurity firm Palo Alto Networks - which has analysed the malware dubbed XcodeGhost - said the perpetrators would also be able to send fake alerts to infected devices to trick their owners into revealing information.

It added they could also read and alter information in compromised devices' clipboards, which would potentially allow them to see logins copied to and from password management tools.

Infected applications includes Tencent's hugely popular WeChat app, NetEase's music downloading app and Didi Kuaidi's Uber-like car hailing app.

Some of the affected apps - including the business card scanner CamCard - are also available outside China.

"We've removed the apps from the App Store that we know have been created with this counterfeit software," said Apple spokeswoman Christine Monaghan.

"We are working with the developers to make sure they're using the proper version of Xcode to rebuild their apps," said Christine Monaghan.

On its official WeChat blog, Tencent said the security issue affected an older version of its app - WeChat 6.2.5 - and that newer versions were not affected.

It added that an initial investigation showed that no data theft or leakage of user information had occurred.

In Apple's walled garden App Store, this sort of thing shouldn't happen.

The company goes to great lengths, and great expense, to sift through each and every submission to the store. Staff check for quality, usability and, above all else, security.

The Apple App Store is generally considered a safe haven as the barrier to entry is high - there's only been a handful of instances of malware found on iOS apps, compared to Google's Play store which for a while was regarded as something of a "Wild West" for apps (until they introduced their own malware-scanning system too).

It makes this attack all the more surprising, as it looks like two groups of supposedly informed people have been caught out.

Firstly developers, who security researchers say were duped into using counterfeit software to build their apps, creating the right conditions for the malware to be applied.

And secondly, Apple's quality testers, who generally do a very good job in keeping out nasties, but in this case couldn't detect the threat.

Fonte Ufficiale:


Two-week-old WordPress malware attack is blossoming into a real threat

Two-week-old WordPress malware attack is blossoming into a real threat

MALWARE DETECTING, preventing and protecting company Sucuri has warned the world about a problem in WordPress that is two weeks into the threat charts already and is rising rapidly.

The malware is called VisitorTracker, and its aim should be self-explanatory. Sucuri said that incidents of infection have had a sharp uptick in recent days, and the firm - which reported on it just two weeks ago - hopes that its reprise and update of the information will inform WordPress and encourage it to take action to mitigate the problem.

"We initially shared our thoughts on it via our SucuriLabs Notes, but as the campaign has evolved we have been able to decipher more information as we investigate the effects on more compromised sites," explained Sucuri CTO Daniel Cid in a blog post.

"This post should serve as a resource to help WordPress administrators (i.e. webmasters) in the WordPress community."

It may well do. The information suggests an evolving and interesting malware system that Cid said could be used to trick web users into trusting the most devious of webpages.

"This malware campaign is interesting. Its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors," he said.

"If you think about it, the compromised websites are just a means for the criminals to get access to as many endpoint desktops as they can. What's the easiest way to reach out to endpoints? Websites, of course."

Sucuri added that it is trying to trace down an access point, but that it might be one of any of the many plugins that are released for the platform.

"We detected thousands of sites compromised with this malware just today and 95 percent of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting the latest vulnerabilities in plugins," the firm said.

"Out of all the sites we detected to be compromised, 17 percent of them already got blacklisted by Google and other popular blacklists."

Fonte Ufficiale:


Lock screen flaw found in Android

Lock screen flaw found in Android

A security flaw in Android that lets people bypass the lock screen on a mobile device has been discovered by researchers at the University of Texas.

They found that trying to unlock the phone or tablet with an abnormally long password caused the lock screen to crash in certain conditions.

The flaw was limited to Android Lollipop, the most recent version of the mobile operating system.

Google issued a patch for its Nexus devices on Wednesday.

About 21% of Android users run affected versions of the operating system.

After crashing the lock screen, the researchers were able to access the phone's data and apps.

The vulnerability could not be exploited if people had chosen a lock pattern or Pin code instead of a password.

While Google is rolling out its fix for Nexus, other phone manufacturers are responsible for distributing the software to their own handsets.

On releasing the patch, Google said it had not yet detected anybody exploiting the flaw.

Fonte Ufficiale:


North Korea exploits 0-day in Seoul’s favourite word processor

North Korea exploits 0-day in Seoul's favourite word processor

FireEye researchers Genwei Jiang and Josiah Kimble say attackers from North Korea exploited a zero day vulnerability in a word processor popular with the South Korea's government.

The attackers went after the vulnerability (CVE-2015-6585) in the Hangul Word Processor prior to a patch issued last Monday.

Accurate attribution of North Korean actors is inherently difficult, however Jiang and Kimble say the attack payloads and infrastructure strongly point to the North. There is no suggestion of Pyongyang's involvement.

"While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye intelligence assesses that this activity may be associated with North Korea-based threat actors," the pair say in an advisory (PDF).

Attackers use a backdoor dubbed Hangman that can receive and send encrypted files and commands and gather system intelligence. Those backdoor samples point to one of the same command and control infrastructure used in a known North Korea attack in June dubbed "Macktruck".

Moreover, the backdoor functions are seen in little else than other backdoor dubbed PeachPit which is pinned on North Korean-based attackers.

"This implies that PeachPit and Hangman were written by the same developers or, at minimum, share some of the same source code. Given that we have observed only limited use of backdoors such as PeachPit, it is reasonable to theorise that in addition to a common development history, the backdoors may be used by the same or closely related threat actors."

While the pair make no mention of intent, it is reasonable to expect the attackers sought access to Seoul government systems or those used by its contractors who are popular adopters of the Hangul Word Processor.

Attacks from the North against South Korea are commonplace. Many outside observers say the North is at an advantage because its internet infrastructure is so small while its target's attack surface is much larger.

Reports suggest the North Korea Government rewards its Bureau 121 hackers handsomely. That unit said to number 1800 staff is fingered for the devastating attack on Sony Pictures.

Fonte ufficiale:


Yahoo! won’t! fix! emoticon! exploit! in! death! row! Messenger!

Yahoo! won't! fix! emoticon! exploit! in! death! row! Messenger!

Updated Hacker Julien Ahrens says Yahoo! Messenger contains a remote code execution hole that the Purple Palace won't fix.

The buffer overflow holes (CVE-2014-7216) will keep bleeding, Ahrens says, because Yahoo! has told him the relevant app is end-of-life and therefore low on Yahoo!'s to-do list.

Yahoo! has been contacted for comment.

Exploiting the flaw relies on victims installing new emoticon packages, a vector Ahrens feels is a very live threat given instant messaging users are rather keen on new sets of smiley faces.
Those which install the corrupt emoticon package will hand attackers the same access rights they have. If the ruse fails Yahoo! Messenger will crash.

Here's how Ahrens explains the mess:

The application loads the content of the file emoticons.xml from two different directories when a user logins to determine the available emoticons and their associated shortcuts … but the application does not properly validate the length of the string of the shortcut and title key values before passing them as an argument to different lstrcpyW calls.

This leads to a stack-based buffer overflow condition, resulting in possible code execution.
Ahrens claims Yahoo! sat on the bug since he first disclosed it May last year, then approved his public disclosure last month after saying it will not fix the hole.

Ahrens quotes US government industry think tank MITRE as saying the emoticon package would normally be excluded from receiving a CVE vulnerability number but was given one because of an "existence proof that third parties actually do offer sets of emoticon files" and that "Yahoo! Messenger users actually do copy these" to the required directories.

Ahrens also took a swipe at Yahoo!'s bug bounty program, which declined to send him a cheque for finding this flaw, despite - on his arguments - Yahoo! Messenger is explicitly covered in the company's terms and conditions.

Update Yahoo!'s been in touch to say it "takes the security of our users very seriously, and as soon as we learned of this potential vulnerability, our team responded immediately to the security researcher and began an investigation. As the security researcher noted himself, 'exploitation [of this vulnerability] might be tricky,' and would take significant additional technological hurdles."

"Upon extensive investigation by our team," the spokesentity continued, "we’ve determined that this vulnerability is not easily exploitable, requiring users to actively install unsupported 3rd-party software into Messenger, and does not present a viable security threat to our users. We’ll continue to work with our thriving bug bounty community to ensure the most secure experience possible for our users.”

Fonte ufficiale:


Hackers spread malware via Yahoo ads

 Hackers spread malware via Yahoo ads

Hackers who previously exploited vulnerabilities in Adobe Flash have now used advertising on Yahoo's largest websites to distribute malware to billions, according to researchers at Malwarebytes. The technique, growing at an alarming rate, is facilitated when an attacker tricks an automated ad network into delivering malware embedded in ads.

The attack, which reportedly began on July 28, took on Yahoo's ad network and leveraged Microsoft Azure websites to spread the Angler Exploit Kit onto the desktop PCs of unsuspecting site visitors, the researchers noted. The kit has seen its market share explode from 25 percent to 83 percent this year, according to Fraser Howard, a researcher at SophosLabs.

“With the pure scale and size of Yahoo, many people may have fallen victim to this attack,” Grayson Milbourne, security intelligence director at Webroot, told SC Magazine.

This, of course, is not the first instance of malvertising. Yahoo and AOL users were previously infected in January 2014, and Yahoo was hit with a similar attack again in October. Additionally, DoubleClick, Google's ad network, was attacked in September 2014, with a repeat in January.

According to RiskIQ, malvertisements grew 260 percent between January and June over the same period last year. The number of unique malvertisements leaped 60 percent year over year.

While Yahoo did stop the malvertising soon after being alerted, it also noted in a statement to Malwarebytes that it is “committed to ensuring that both our advertisers and users have a safe and reliable experience.”

The statement from Yahoo also said it will continue to “ensure quality and safety” of it ads through automated testing and through the SafeFrame working group. This alliance works to protect web users from security risks inherent in the online ad ecosystem.

Yet, Milbourne noted that with the immense number of users to Yahoo's websites, “this exploit raises serious questions about the size of this attack and Yahoo's security processes.”

He advised users to select the Chrome browser as well as an ad-removal extension. “This combination offers the best chance of preventing an ad network redirect to an exploit kit,” Milbourne said. “When in doubt, steer clear and stay safe.”

Fonte ufficiale:


Mobile device screens recorded using the Certifi-gate vulnerability

Mobile device screens recorded using the Certifi-gate vulnerability

Vulnerable plug-ins have been installed on hundreds of thousands of Android devices, allowing screens to be recorded, according to data from the scanning tool which discovered that the so-called Certifi-gate vulnerability is already being exploited in the wild.

The Certifi-gate vulnerability was disclosed by security researchers at Check Point during the Black Hat conference in Las Vegas earlier this month.

The Check Point team also released a scanner app that checks Android devices for the vulnerability. Users have the option to share scan results with Check Point.

The Certifi-gate scanner app has nearly 100,000 downloads on Google Play, and Check Point has received over 30,000 anonymous scan results from users. These anonymous stats have allowed Check Point to access the level of exposure to the vulnerability across different devices and vendors.

More than 40 per cent of all the scan samples showed devices were vulnerable to Certifi-gate.

And 16 per cent of samples showed a vulnerable plug-in was installed on the device, allowing any malicious application to take full control of the device by exploiting the installed plug-in.

In fact, a handful of scanned devices had already been exploited with a specific app from a UK-based company, available from the Play Store and which has already seen 100,000 and 500,000 downloads.

The Recordable Activator app, developed by Invisibility, uses the Certifi-gate vulnerability, bypassing the Android permission model to access system level resources.

Avi Basham, a mobile security researcher at Check Point, explained that the app is able to record the screen on devices onto which it is installed. Users of affected devices are not notified that this is happening and the whole process is in any case something that should not be possible on devices that are not jailbroke.

“It exploits the Certifi-gate vulnerability to gain system permissions,” Basham told El Reg. “This should violate Play Store conditions.”

Christopher Fraser, a representative of Invisibility, responded to our queries by explaining that developers did not set out to exploit a vulnerability.

Recordable is screen recorder ... able to make to record the screen via four possible methods: "activation" via USB, Android 5 projection, root, and via the TeamViewer plugin (which saved people having to activate on older version of Android).

Recordable Activator used the older versions of the TeamViewer plugin in exactly the same way that TeamViewer did. It did this in response to a user requesting it ... and would notify the user in the same way that TeamViewer would.

Google removed the older version of the TeamViewer plugins a few weeks ago and has now removed Recordable Activator.

Recordable is primarily used by games wanting to recording their gameplay and upload it to YouTube. Hundreds of thousands of kids use it to run their YouTube channels.

El Reg also quizzed Google, which confirmed that the app had been suspended.

The Certifi-gate vulnerability is a risk for apps downloaded from third-party app stores as well as Google Play, although scanning using the Check Point tool has only turned up issues on Google Play thus far.

Certifi-gate takes advantages of security shortcomings in architecture of popular mobile Remote Support Tools (RSTs) used by most every Android device manufacturers and network service provider.

Malicious applications could gain unrestricted access to a targeted device by impersonating plug-ins for legitimate tools such as Team Viewer, as explained in greater depth in a blog post by Check Point here.

Fonte ufficiale:


Hammertoss, il virus creato in Russia che arriva con una foto su Twitter

Hammertoss virus creato in Russia che arriva con una foto su Twitter

Il malware è stato creato dal gruppo di hacker APT29. I pirati sono riusciti a dare istruzioni ad account monitorati al fine di inviare informazioni segrete.
Tra gli obiettivi quello di comunicare senza che nessuno se ne possa accorgere attraverso la tecnica della 'steganografia'.

NON si può stare tranquilli neanche sui social. Anche quando inviamo un innocuo 'cinguettio' su Twitter. La minaccia dei virus ora infatti può nascondersi anche nei 140 caratteri più famosi del mondo.

A trasformare il social network creato da Jack Dorsey in un'arma impropria ci ha pensato un gruppo di hacker russi conosciuto come 'APT29', un gruppo che sarebbe vicino al governo di Mosca.

Il 'cavallo di Troia' usato dagli abili pirati informatici russi sono le foto allegate ai tweet: nei bit delle immagini hanno inserito dei malware che, penetrando attraverso le backdoor (le porte di servizio dei nostri sistemi), riescono, senza che nessuno se ne accorga, ad accedere a reti di computer in teoria superprotette, comandandole a distanza.

La nuova tecnica è stata utilizzata nei mesi scorsi dagli hacker al servizio del governo russo per violare i sistemi informatici del governo Usa e dell'industria della Difesa americana: ad aprile era stata la Cnn a dare notizia di un attacco informatico di pirati russi al sistema informatico della Casa Bianca. Mentre qualche mese fa il New York Times aveva rivelato che hacker russi erano stati in grado di leggere email (non coperte da segreto) del presidente Usa Barack Obama. La nuova tecnica sembra dunque inserirsi nella guerra 'informatica' tra Mosca e Washington, solo un capitolo delle tensioni tra Russia e Stati Uniti riesplose negli ultimi tempi.

La tecnica dimostra l'abilità di questi hacker, capaci di cambiare al volo la loro tattica una volta scoperti.
"Hammertoss", così il virus è stato chiamato dalla società specializzata nella protezione delle reti "Fire Eye" che lo ha scoperto, è invisibile alla maggior parte dei sistemi.
Gli obiettivi degli hacker sono molteplici: tra questi quello di comunicare e di scambiarsi informazioni segrete su Twitter senza che nessuno se ne possa accorgere tramite la tecnica dello spionaggio vecchio stile nota come 'steganografia' in cui solo mittente e destinatario conoscono un codice grazie al quale nascondere in una normale pagina di testo scritto, apparentemente innocua, informazioni segrete non rilevabili se non si conosce la chiave di decriptazione.

Il funzionamento del malware non è poi così complicato: una volta infettato il pc, il virus, attraverso un algoritmo, effettua un controllo quotidiano di uno specifico account Twitter. A quel punto usando "Hammertoss" si è visto che gli hacker sono riusciti a dare istruzioni (inviando all'account Twitter una semplice immagine 'craccata') al fine di inviare informazioni segrete contenute in un computer di un'agenzia governativa a un sistema cifrato di 'cloud storage' (un archivio digitale sulla rete).

Ai computer viene dato un algoritmo per controllare diversi account twitter ogni giorno. Se qualcuno registra questo account e twitta alcuni messaggi si attivano istruzioni per una serie di azioni su quel pc. Nel dettaglio le informazioni twittate sull'account monitorato includono un indirizzo web, un numero e una manciata di lettere.
Il computer infettato così va sul sito web indicato e cerca una foto o almeno la dimensione della foto indicata dal numero, mentre le lettere sono parte di una chiave per decodificare le istruzioni contenute in un messaggio nascosto contenuto all'interno dei dati usati per mostrare la foto sul sito web.

Nei mesi scorsi APT28, un altro gruppo di hacker appoggiati dal governo russo, aveva usato una falla nel software Adobe per infettare obiettivi di alti livelli.

Fonte ufficiale: