Cybercriminal Exotics: Outstanding Incidents And The Following Trends

January 31, 2014

Readers who follow our information security digests may have already noticed several exotic incidents and malware campaigns, which took place over the past three months. Some of them deserve special attention because they clearly show trends for the future.

Drone hijack

The greatest example of them is not a genuine incident but a model situation. One hacker (more accurately an information security expert) named Samy Kamkar created a device that seizes the control of unmanned aerial vehicles and actually zombifies them. Kamkar arranged a set of unrestricted equipment for that. The most expensive component is the UAV Parrot AR.Drone 2 ($300) to be supplied with a cheap WiFi transmitter Alfa AWUS036H ($30), a Raspberry Pi computer ($35) and a set of software including Aircrack-ng, node-ar-drone library, node.js platform and Kamkar’s own developed software SkyJack (an application written in Perl). The total cost is about $400.


After approaching another similar UAV at a distance sufficient to establish WiFi connection, the SkyJack drone is able to take over the control of an UAV and act as its master. And zombify it. You can seize not just one UAV, but an army of them, and can really do this from the ground by using any laptop with the right programs installed.

All this would have been funny, but Amazon just recently announced that they would use UAVs to deliver packages to their consumers, so it’s easy to imagine what is going to happen if their drones are just as easily hijacked. And the needed stuff for that is really improvised. All the software including Kamkar’s SkyJack is publicly available, the aforementioned UAVs, Raspberry Pi’s and WiFi transmitters are sold freely.

You may dream a little and imagine what would happen if, for example, there were a way to massively hijack drones used by the police, civil services, etc.

Of course, this is likely to remain visionary, but only if UAV manufacturers take all necessary measures to improve their firmware protection.

Actually, the story of possible massive UAVs’ hijacking is a direct and very successful illustration of the thesis expressed in the last year’s Harvard Business Review. The growing “Internet of things” in our lives will make hackers’ attacks more physical by nature. As software packages and operating systems of yesterday and today the tomorrow’s smart devices will become targets for hackers, if manufacturers do not take to building upon security reasons and applying appropriate technologies, starting from the engineering design.

Browser botnet and SQL injections with the help of Google

Browsers have always been a source of security problems to this day, despite the numerous efforts of developers to improve their products’ security. For malicious software, browsers stay the main doorway to users’ computers. Sometimes it is just too exquisite. Over the last few months, exotic incidents were observed when attackers used other people’s browsers to organize attacks.

For example, experts recently announced the discovery of a botnet consisting of… browser addons. Bots posed as addons for Mozilla Firefox called Microsoft. NET Framework Assistant. They must have disguised themselves quite successfully, though it is still a mystery how exactly computers were infected.

Whatever it was, the successfully leeching malicious addons used infected PCs as a distributed platform for scanning sites for SQL vulnerabilities. Of course, those were the sites visited by people’s infected browsers: while an infection victim surfs a background addon scans the visited sites for exploitable vulnerabilities.botnet

The manual SQL vulnerability scan takes a lot of time and the botnet allowed automating that.

The botnet under a symbolic name Advanced Power comprised approximately 12,500 computers. It did since the Firefox developers have already blocked malicious addons, and now antivirus programs detect them effortlessly.

The general trend is amusing, for the matter is programming and streaming targeted search with the exploitation of specific flaws in software.

But the approach here is of special interest. The main task of this malicious network, atypical in its nature, was to look for vulnerable sites automatically. Attackers have found at least 1,800 such sites, so that by the time of its closure the botnet had already done its duty to some extent.

We should also remember the more exotic way to exploit SQL; through vulnerabilities, a tactic invented by tricksters. Last fall we wrote about SQL injections with the help of Google search robot.

The described process appears to be relatively easy. The attacker creates Site A, which looks quite legitimate, but offers a few links that contain malicious SQLI requests to the target site (Site B). The Google’s robot bypasses Site A and follows those expected links to Site B simultaneously and involuntarily attacking it.

Access to crawlers is rarely closed therefore such attacks are very dangerous, especially if you do not check those websites for vulnerabilities by yourself.

The same series of incidents may have to include two campaigns against the sites that use the popular content management system WordPress. The first attack began in April; the second one was detected in August. In both cases, a large botnet tried to brute-force logins and passwords to WordPress’ admin panels. There were speculations that it was done to create an even larger botnet of the compromised servers running this CMS. It seems like it never happened, but it does not mean there are going to be no more attempts in the future.

The general trend is amusing, for the matter is programming and streaming targeted search with the exploitation of specific flaws in software. The trend appears quite natural from the commercial perspective. Any business (especially a criminal one) strives for minimizing costs and efforts to maximize efficiency and profitability; the wider coverage and the more automation the better.

Another pertinent illustration is the incident with one of the largest U.S. retailers Target, which seemed to let customers’ private information leak directly off the payment terminals. Those were the credit and debit data of 40 million people. But we will talk about it separately.